Hari’s thoughts and experiments

Another year saying by…
This year i made only few blog

Look on personal life,September we made a second honeymoon trip to Mahabaleshwar. Onam we celebrated in kerala. with our whole family. about 10 days we spend in kerala. we went to guruvayur temple and then to Veegaland also.

Look on professional view, had a absoutely eventful year. Moved to a different project within in the same company and it is very interesting to roll out the projects in a shorter time frames. Had oppertunity to work in
three different products. In between that lots of good friends left company. @ December i also resigned from the current employer. and new year is going to start with new company.

Me and my wife wishing you a happy and prosperous new year

In a Web based application authentication needs to be checked for all subsequent requests.
The main thing is that identifying the place for checking the each request authenticity and the user session’s validity.
Common practices i have seen is checking user authentication while user logging time and saves user information in session as an attribute. After that each request comes application will perform a check from the session attributes.
The main issue is where this code has to write.

Many books and writings are said different different places to put this code.

1. Writing in Action class.
In this approach all the request has to go through the action classes. first line for the execute method should perform a user authentication checking. You need to write this logic to each and every action class. Otherwise your all action classes must extended from your own action class from there common place you can write user checking.
for example :

public abstract class SecureAction extends Action {
     public ActionForward execute(ActionMapping mapping,ActionForm form,
                                             HttpServletRequest request, HttpServletResponse response)
                                             throws Exception {
         // Here writes your code for user authentication
         if (request.getSession().getAttribute("userid") == null) {
               return mapping.findForward("login");
         } else {
               // some user specific check
         }
         // //////////user authentication end/////////
         return executeAction(mapping, form, request,response);
     }
     public abstract ActionForward executeAction(ActionMapping mapping, ActionForm form,
                                                       HttpServletRequest request, HttpServletResponse response) throws
                                                       Exception;
    }

Those request not going through action classes, can not participate in a security check .
like static content. direct url access to pages.

2.Defining your own tag library and including in each and every jsp pages.
its needed to change/add each and every pages.

3.Writing in Request Filters
In this case you can check for each and every request is valid using Servlet Filters. Its efficient
mechanism but its effect performance .

4. Another efficient implementation is extending RequestProcessor
Extending the RequestProcessor class and writing security implementation following overridden methods
processPreprocess()
processRoles()

Which approach you are using for security design and please comment on this.please share your thinking on security designs.

Thanks
Hari

As 2009′s last leafs are falling down, it is my hope that you and
your family have a very merry Christmas. It is my prayer that you and
your family have a Prosperous and happy new year
From
Rekha & me

Finally my first open source venture pojoxml is released.This is the initial version of the project.You can find out the materials of PojoXml from the google code. project is hosted in google code.For the second release lots of new features are planning to add. Some people already shown their interest[kalpit,Rejin] to join this project, Thanks for your support.