Hi, right now I have:
  <%
  if(session.getAttribute("verified") == null){
       response.sendRedirect("../PortalLogin.jsp");
      return;
  }
 %>

Inside of a jsp page. Basically if the user isn't verified, it redirects to the login page.

Well, I have a struts action (a global forward) that forwards to the login page and i would like to be able to call the struts forward from within every jsp page rather than do the response redirect. Can this be done, and how? Thanks!

Hi, right now I have:&nbsp;&nbsp;<%&nbsp;&nbsp;if(session.getAttribute("verified") == null){&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;response.sendRedirect("../PortalLogin.jsp");&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return;&nbsp;&nbsp;}&nbsp;%>Inside of a jsp page. Basically if the user isn't verified, it redirects to the login page.Well, I have a struts action (a global forward) that forwards to the login page and i would like to be able to call the struts forward from within every jsp page rather than do the response redirect. Can this be done, and how? Thanks!

Why are you doing the redirect from the JSP, instead do the redirect from the underlying Action itself..!

What I'm doing is posting the code in the jsp that checks to see if there is a variable in the session. If that variable is not there, then I want to redirect the user to the login page and do Not display any of the page contents. So that is why the piece of code is in there. Does that make sense?

What I'm doing is posting the code in the jsp that checks to see if there is a variable in the session. If that variable is not there, then I want to redirect the user to the login page and do Not display any of the page contents. So that is why the piece of code is in there. Does that make sense?

Well that did make sense, that you are using a piece of code (scriptlet) in JSP, for checking the existence of a session variable.

What I wanted to say is; since you are developing in struts framework (You are since you said you have a global Struts Action ?),

The easier way in struts to do such a task , is to check the existence/validity of such a session variable inside the execute method of an action class from which you can define forward mappings in struts-config.xml file and control your navigation instead.

/**Action Class Execute Method*/
public ActionForward execute(ActionMapping mapping,
                             ActionForm form,
                             HttpServletRequest request,
                             HttpServletResponse response)throws Exception
{
  // DO something like this

  if(request.getSession().getAttribute("xxx")==null)
   {
           return mapping.findForward("login");
   }
      
   return mapping.findForward("doXXX");
   
}

And in the struts-config.xml you can have an entry

<!-- Redirect -->

<action path="/doXXX"
                type="za.co.xxx.MyAction">
<forward name="login" path="Specify the page" />
<forward name="doXXX" path="Specify the page" />
</action>

This will help you without having the 'piece of code' on any JSP Page;

If I am still mistaken , be free to revert .>!

J

That's good, and I actually use that same type of code in my action classes. HOWEVER, what if a user types in the direct jsp page into the browser such as www.mysite.com/documents.jsp

No action will be called, so that wont work. The jsp has to have the code in it to protect your page, assuming you aren't using a filter. Right? Am I off the deep end :)? Set me straight here.

That's good, and I actually use that same type of code in my action classes. HOWEVER, what if a user types in the direct jsp page into the browser such as www.mysite.com/documents.jspNo action will be called, so that wont work. The jsp has to have the code in it to protect your page, assuming you aren't using a filter. Right? Am I off the deep end :)? Set me straight here.

Either put JSP pages under WEB-INF, or create a security rule which prohibits users to load files from a certain directory or with certain extension.

So you guys are telling me that there is no way to do something like this:

page.jsp:

  <%
  if(session.getAttribute("verified") == null){
  return(mapping.findForward("portallogin"));
  }
 %>



??? Really? The above fake code is what i would like to do.

So you guys are telling me that there is no way to do something like this:page.jsp:&nbsp;&nbsp;<%&nbsp;&nbsp;if(session.getAttribute("verified") == null){&nbsp;&nbsp;return(mapping.findForward("portallogin")); &nbsp;&nbsp;}&nbsp;%>??? Really? The above fake code is what i would like to do.

Of course, you can do that. But you would need to write this (or include this piece) in every page you want to protect.

Also, I personally seem this as illogical. If users are supposed to use actions, and JSP pages are shown only by server, then before displaying a page server should already know is it allowed to display it or not. You might say that this protection is from occasional direct access by a user. Great, then hide these files from a user altogether.

I wasn't sure if having the code in your JSP was a requirement at all; but, one approach you might consider is implementing a servlet Filter and reference that in web.xml. You could have the filter apply to all requests, or a subset of request (by URL). In there, you could check for your session variable, and either proceed to the intended URL or redirect to your Struts action.

For example:

public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)
{
HttpServletRequest request = (HttpServletRequest)servletRequest;
HttpServletResponse response = (HttpServletResponse)servletResponse;
HttpSession session = request.getSession();

Boolean tVerified = (session.getAttribute("verified") != null);
if (!tVerified)
{
response.sendRedirect("PortalLogin.jsp");
return; // return so that we do not chain to other filters
}

// allow others filter to be chained
chain.doFilter(request, response);
}

I actually have that exact same servlet filter implemented already. I just have the jsp code there as a backup, in case my program goes on a machine and there isn't a servlet filter. Plus, I'd like to just know the answer so i know for knowing sake :) Any ideas on how to do the call from the jsp if possible?

could you have this in your JSP:

<%@ taglib uri="/WEB-INF/tlds/struts-logic.tld" prefix="logic" %>
<logic:redirect forward="NAME_OF_YOUR_GLOBAL_FORWARD"/>


A good option might be to verify the user on every request...and put your redirect logic in a servlet filter.

You filter setup(in web.xml) might look something like

    <filter>
        <filter-name>AuthorisationFilter</filter-name>
        <filter-class>com.your.package.filters.AuthorisationFilter</filter-class>
        <init-param>
            <!-- This parameter is relative to the application context, so must start with a / -->
            <param-name>UNAUTHORISED_REDIRECT_PAGE</param-name>
            <param-value>/accessDenied.do</param-value>
        </init-param>
        <init-param>
            <!-- This parameter is relative to the application context, so must start with a / -->
            <param-name>LOGON_REDIRECT_PAGE</param-name>
            <param-value>/logonRequired.do</param-value>
        </init-param>
    </filter>

Hi, right now I have:&nbsp;&nbsp;<%&nbsp;&nbsp;if(session.getAttribute("verified") == null){&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;response.sendRedirect("../PortalLogin.jsp");&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return;&nbsp;&nbsp;}&nbsp;%>Inside of a jsp page. Basically if the user isn't verified, it redirects to the login page.Well, I have a struts action (a global forward) that forwards to the login page and i would like to be able to call the struts forward from within every jsp page rather than do the response redirect. Can this be done, and how? Thanks!

Use the struts redirect tag in logic library. The scriplet in a previous thread also would work

http://struts.apache.org/struts-el/tlddoc/logic/redirect.html

Thanks,
Benjamin

http://www.benjaminthomas.info

That's what I've been looking for guys, the logic:redirect tag. I will try it out and see if it does the trick. Thanks!

Thanks again, appreciate the help.




"The CubeSlacker"
-www.CubeSlacker.com