User Validation and Struts

User Validation and Struts

There are several ways to perform user validation and access control using Struts. One way is through the servlet container itself. Recent implementations of JSP servers (Tomcat 4.0.1, for example) offer an authentication technology called Realms. Realms enables you to specify servlets that should be restricted, and attach to a variety of datasources (JDBC, XML, and so on) to look up access information.

Realms, however, is a bit complicated to set up, especially in a sample application like this. Frankly, there's really nothing wrong with the time- tested way of doing things, which is to store a flag on the session that indicates that the user has logged in, and control access based on that flag.

In fact, Struts makes this approach easier. In model I JSP processing, you need to include code at the top of each page that checks whether the user is allowed to view the page. In Struts, you can decouple this business logic from the view by putting the check in the Action that provides access to that page.

For example, take a look at the Action class for the action that provides access to the portfolio maintenance page (see Listing 8.9).

Listing 8.9 PortfolioAction.java

 package stocktrack.struts.action; import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.*; import org.apache.struts.action.ActionMapping; import org.apache.struts.action.ActionForward; import org.apache.struts.action.ActionForm; import org.apache.struts.action.Action; /**  * stocktrack.struts.action.IndexAction class.  * this class used by Struts Framework process the  * stocktrack.struts.form.BlankForm form.  * - method invoked by HTTP request is perform(....)  * - form name is blankForm  * - input page is /inde1x.jsp  * - scope name is request  * - path for this action is /index  *  * struts-config declaration:  * <action name="blankForm"  *         path="/index"  *         type="stocktrack.struts.action.IndexAction"  *         input="/index.jsp"  *         scope="request"  *         validate="true" >  *            <!-- yours forwards -->  * </action>  *  * @see org.apache.struts.action.Action org.apache.struts.action.Action  * Generated by StrutsWizard.  */ public class PortfolioAction extends org.apache.struts.action.Action {   public ActionForward perform(ActionMapping mapping,                                ActionForm form,                                HttpServletRequest request,                                HttpServletResponse response)      throws IOException, ServletException {     if (request.getSession().getAttribute(stocktrack.Constants.VALIDATED_USER)                                                                     == null) {       return mapping.findForward("home");     }     return mapping.findForward("portfolio");   } } 

Because the Action checks whether the user is logged in before returning the mapping to the portfolio, there's no way that a user can gain access to the portfolio page until he logs in. Even if he bookmarks the page, it will run this Action first. That's because the user never actually sees the real URL of the JSP file, only the action .do Struts Action name.