Security Check on Every Page 1

[fatcodeguy]

Hi,

I perform a security check on every page to check if a user is logged in, and what his/her access is. If they haven't logged in, or don't have access, it redirects them to the login page.

Is there another way to do this (like have a servlet or something check for it) instead of having the scriptlet on every page?

Thanks

 

[byam]

There are couple ways to do this.

1. Realm. If you are using Tomcat you can find example at

http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html

2. If you are using Struts, implements the security check in a customer RequestProcess. Overriding the processPreprocess() method to do the security check, forward to a login page if check failed. This way, all Struct actions will goes through the security check in processPreprocess().

 

[fatcodeguy]

I've heard of Realm, but I'd like to stay away from container specific implementations (as this app will likely end up in Oracle 9iAS anyway), so I'm thinking method (2) is best.

But... I don't even know how to begin. Any documentation you can point me towards?

Thanks!

 

[byam]

I don't have any documenation on hand, but I can quick give you a example:

Step 1: Create a customer Requestprocess class:

package myPackage;

import org.apache.struts.action.RequestProcessor;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class MyProcessor extends RequestProcessor{
    private static String loginPageURI = "/login.do";

    public boolean processPreprocess (HttpServletRequest request,
                                      HttpServletResponse response) {

        if (!isLogin(request) 
            && request.getRequestURI().equal(loginPageURI)) {
           // not login and not requesting for login page
           response.sendRedirect(loginPageURI);
           return false;
        } 
        return true;
  
    }

    private boolean isLogin(HttpServletRequest request) {
        //// check if user is login
        return true;
    }

Step 2: In your structs-config.xml file, tells struts to use the custom RequestProcessor created above. According to the DTD, The controller element has to be place after action-mapping and before any plug-in or message-resources

    <controller processorClass="myPackage.MyProcessor" />

Hope this help.

 

[byam]

You should add the following code at the begining of the processPreprocess() method

if (!super.processPreprocess(request, response)) {
  // already fail the preProcess in the super class. 
  // don't bother to go further.
  return false;
}

 

[fatcodeguy]

AWESOME!! Thanks a lot!!

 

[fatcodeguy]

I programmed my pre processor and changed the entry in the struts-config.xml file to access that controller. The problem is that the processor is only called when the URI is a *.do URI (as configed in web.xml), and I need it to check for *.jsp as well.

Does that mean I need to configure 2 servlets with 2 mappings in the web.xml file? or can I make the existing servelet (action) mapped to *.do and *.jsp? Or both, in which case, which is better?

Thanks

 

[byam]

One way is to avoid calling the JSP page directly. Even there is no Action class for a JSP page, you can still assign a action mapping by using set forward attribute. for example, a JSP with URI /content/example.jsp, assign a action mapping with:

<action forward="/content/example.jsp" path="/content/example" validate="false"/>

then instead of calling /context/example.jsp directly, you call, /context/example.do. This way, example.do will go through the RequestProcess, and you don't need to implment any action class. All you need is a action mapping.

However, if you perfer to keep using *.jsp URI. Then better implement your security check in a servlet filter, that it does not depend on Struts at all.

 

[jjgould]

I'd like to take this discussion on a slight tangent...

I am using RSA ClearTrust for single sign on, and I would like to use the "role" attribute available in various Struts tags (especially Tiles tags). The RequestProcessor.processRoles() method uses request.isUserInRole() to examine user roles.

With ClearTrust, I have to use an alternate method to get the user's roles. So, my first idea was to subclass RequestProcessor and override processRoles(). However, as I investigated further, I found six additionsal Struts classes that call request.isUserInRole(). Most of these are Tag classes, so for me to subclass them and use them I would have to modify the TLD files -- or create my own taglib, just to use the extended classes.

So, I am wondering two things:

1. Has anyone had experience using a 3rd party package, like ClearTrust, for authentication. And, if so, did you find a way of using the "role" attribute?

2. Seeing the MultiparRequestWrapper class gave me the idea of creating a ClearTrustRequestWrapper that could provide the correct implementation of isUserInRole(). However, I suspect I would have to use a servlet filter to accomplish this. Does anyone have any experience with this?

Thanks very much for any help you can give!

- Jack Gould
Sherwin-Williams
Cleveland, OH