struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Newton <newton.d...@yahoo.com>
Subject Re: Login mechanism - preserve Action parameters
Date Sun, 19 Jul 2009 19:15:08 GMT
Have you considered using an interceptor for determining whether or not 
the user is logged in? Actions requiring login can be marked with an 
interface, annotation, etc. IMO this is a substantially cleaner 
architecture.

I'd also *strongly* discourage tying your actions to Hibernate like 
this; it makes testing more difficult than necessary and introduces an 
unnecessary level of coupling.

All that said, I'm not really sure which parameters aren't being 
preserved--are you doing a redirect?

Dave

mathias-ewald wrote:
> Hi,
> 
> a few days ago I implemented a login mechanism into my web application.
> Therefore I use an abstract BaseAction, that asks the implementing class
> wheter it want to be password protected or not. If it does and there's no
> object named "user" available the Login.jsp is shown. When the Login form
> returns the user object is placed into session scope. 
> 
> The Problem is, that after the Login.jsp has returned to the BaseAction all
> parameters that were passed to the implementing Action are lost. 
> 
> What can I do?
> 
> Here' my code:
> 
> BaseAction.java
> -------------------------------------------------------------------------------
> public abstract class BaseAction {
> 
> 	public static final Integer ALLOWED = 0;
> 	
> 	public static final Integer DENIED = 1;
> 	
> 	public static final Integer DENIED_GROUP = 2;
> 		
> 	
> 	private String logout = "false";
> 	
> 	private String username;
> 	
> 	private String password;
> 	
> 	protected Log log;
> 	
> 
>         public BaseAction() {}
> 
> 
> 	public String execute() {
> 		if(log == null) {
> 			log = LogFactory.getLog(getClass());
> 		}
> 			
> 		Map<String, Object> session = ActionContext.getContext().getSession();
> 		
> 		/*
> 		 * if the user wants to logout, delete the object
> 		 * from session scope.
> 		 */
> 		if("true".equals(logout)) {
> 			Object userObj = session.get("user");
> 			if(userObj != null) {
> 				session.put("user", null);
> 				log.info("User " + ((UserAccount)userObj).getName() + " logged out.");
> 			}
> 		} 
> 		
> 		/*
> 		 * in case the username and password values are set, perform 
> 		 * the login process.
> 		 */
> 		if (username != null && password != null) {
> 			Session s = HibernateUtil.getSessionFactory().openSession();
> 			Transaction tx = s.beginTransaction();
> 			
> 			UserAccount user = (UserAccount)s.createCriteria(UserAccount.class)
> 				.add(Restrictions.eq("name", username))
> 				.uniqueResult();
> 							
> 			tx.commit();
> 			s.close();
> 			
> 			if(user == null) {
> 				log.info("Error authenticating user " + username);
> 				return "loginError";
> 			}
> 			
> 			String dbHash = user.getPasswordhash().toLowerCase();
> 			String formHash = MD5Util.md5(password).toLowerCase();
> 			
> 			if(dbHash.equals(formHash)) {
> 				session.put("user", user);	
> 				log.info("User " + user.getName() + " logged in.");
> 			} else {
> 				log.info("Password mismatch for user " + username);
> 				return "loginError";
> 			}
> 		}
> 		
> 		/*
> 		 * If we get this far, userObject is either successfully logged
> 		 * in or null, so get the UserAccount object or set it null.
> 		 */
> 		Object userObject = session.get("user");
> 		UserAccount user = null;
> 		if(userObject != null && userObject instanceof UserAccount) {
> 			user = (UserAccount)userObject;
> 		}
> 		
> 		/*
> 		 * Now ask the "real" action if access is allowed.
> 		 */
> 		int retVal = isAllowed(user);
> 		if(retVal == ALLOWED) {
> 			return executeAction();
> 		} else if(retVal == DENIED_GROUP) {
> 			return "permissionError";
> 		} else {
> 			return "login";
> 		}
> 	}
> 	
> 	public abstract String executeAction();
> 
> 	public abstract Integer isAllowed(UserAccount user);
> 	
>        // getter and setter methods
> 			
> }
> -------------------------------------------------------------------------------
> 
> Login.jsp
> -------------------------------------------------------------------------------
> <html>
> <head>
> <jsp:include page="/common/Head.jsp"/>
> </head>
> <body>
> 
> <div id="container">
> 	<jsp:include page="/common/Header.jsp"/>
> 	
> 	<div id="navi">
> 		Main &gt; Login
> 	</div>
> 		
> 	<div id="body">
> 		<br><br><br><br><br>
> 		<div style="width: 40%; margin: 0 auto;">
> 			This page is protected! Please login:
> 			<br><br>
> 			<s:form method="post">
> 				<s:textfield label="Username" name="username"></s:textfield>
> 				<s:password label="Password" name="password"></s:password>
> 				<s:submit></s:submit>
> 			</s:form>
> 		</div>
> 	</div>
> 	
> 	<jsp:include page="/common/Footer.jsp"/>
> </div>
> 
> </body>
> </html>
> -------------------------------------------------------------------------------
> 
> Is there any chance to have the parameters preserved?
> 
> 
> cu
> mathias

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message