0

User validation and session management

asked 2008-07-09 09:17:28 +0800

pannekuche gravatar image pannekuche
42 1 1

Hello there!
I have a really "stupid" question and I'm sure somebody can help me because its really simple :)
I made a login-screen from my application, if the user is a valid user (i started a query to database), i do a redirect to a new page. on the new page i have to check if the user is logged in and has the appropriate rights to visit this page. this is necessary because you can access all the zul-files placed under the web-directory (and i really dont now how to handle this, i am new to web programming ;) )
my first approach (i hope theres a better one) looks like this:
the user goes to login.zul (its the welcome page of my app), enters some data and finally clicks the login button.
if the the user is a valid user ( i started a query to my database), the following code is executed in my controller-class:

Sessions.getCurrent().setAttribute("user", user); // save user-object in session
Executions.sendRedirect("index.zul"); // redirect to index


Now, my index.zul, where i redirected the user, looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<zk xmlns="http://www.zkoss.org/2005/zul">
    <window
        width="400px" 
        height="300px"
        use="SessionController"
        onCreate="self.checkSession()">
        <label value="You are logged in..."/>
    </window>
</zk>

On creation, "self.checkSession()" is called to check if the user is logged in... i created a sessionController-class which provides the following code:

public class SessionController extends Window{  
    public void checkSession(){
        boolean valid = Sessions.getCurrent().getAttribute("user") != null ? true : false;
        if (!valid){
            Executions.sendRedirect("error.zul");
        }
    }
}


My file error.zul looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<zk xmlns="http://www.zkoss.org/2005/zul">
    <window
        border="normal"
        mode="overlapped"
        draggable="false"
        width="300px"
        height="80px"
        onCreate="self.position = "top,center";"
        title="Error">
        <grid>
            <rows>
                <row align="center">
                    <label value="You are not logged in..."/>
                </row>
                <row align="center">
                    <button label="Goto Login" onClick="redirect()"/>
                </row>
            </rows>
        </grid>    
        <zscript>{      
                    void redirect(){
                        Executions.sendRedirect("login.zul");
                    }
                }
        </zscript>
    </window>
</zk>

The whole thing works (i'm sure, its not very nice...), but my index.zul is fully rendered and after this is done the onCreate-methode is called... can the method "checkSession()" be called before anything is rendered or is there a better approach to check the user-session attribute?

Thanks in advance
pannekuche

delete flag offensive retag edit

8 Replies

Sort by ยป oldest newest

answered 2008-07-09 13:30:41 +0800

ansancle gravatar image ansancle
317 9

One thing you can try is to set your window to not be visible in the .zul, and in the onCreate when you are done checking everything you can then call setVisible("true");

So :

<window visible="false" .......

In the java

public void onCreate()
{
   ... Check user status....
   ... If OK...
      setVisible("true");
   ... else
      redirect....


Something else you can do (which is what I do) is specify in the .zul an "init" class that gets called before the .zul gets fully rendered :

<!-- This will check that the user is logged in, the argument tells the login screen where to redirect after login -->
<?init class="com.foo.CheckForLogin" arg0="/tunertest.zul"?>

This class must implement the org.zkoss.zk.ui.util.Initiator interface.

the arg0 passes along the name of the .zul file I want to redirect to once the user has successfully logged in. So in the code below it will check to see if the user has logged in by looking for a userId in the session.

In the java code (CheckForLogin.java) you can get value of this argument using the following :

	public void doInit(Page arg0, Object[] arg1) throws Exception
	{
		Session zkSession = Executions.getCurrent().getDesktop().getSession();
		Integer userId = (Integer)currentSession.getAttribute("userid");
                if (userId == null)
		{			
                       // Since the user has not logged in you redirect to your login window, I pass along in 
                       // arg1[0] the name of the .zul that they were trying to access when I checked to see if they were logged in,
                      //  That way after they log in I can redirect them back to that page
			Executions.sendRedirect("LoginWindow.zul?" + "redirectUrl" + "=" + arg1[0]);
		}
	}

When do log in just add the userId into the session, add the init code shown above into every .zul file and you are ensured that the user has to login before accessing any page in your application.

Hope this helps.
- Andy

link publish delete flag offensive edit

answered 2008-07-09 13:47:55 +0800

pannekuche gravatar image pannekuche
42 1 1

Hi Andy, thank you very much. I'll try the second solution with the "CheckForLogin", this looks nicer ;)

But isn't there another solution to "hide" all the ".zul"-files in WEB-INF?

link publish delete flag offensive edit

answered 2008-07-09 13:52:14 +0800

ansancle gravatar image ansancle
317 9

What do you mean by "hide"?

link publish delete flag offensive edit

answered 2008-07-09 14:08:12 +0800

pannekuche gravatar image pannekuche
42 1 1

i thought, all ".jsp", ".zul", ".html" files (contained in the WEB-INF) folder are hidden. they cannot be accessed by typing a url like:

http://localhost:8080/app/test.zul

structure in folder looks like:
index.zul
index2.zul
/WEB-INF/test.zul
/WEB-INF/shouldBeHidden.zul

link publish delete flag offensive edit

answered 2008-07-09 14:09:04 +0800

pannekuche gravatar image pannekuche
42 1 1

Update: Session management works, thanks again :)

link publish delete flag offensive edit

answered 2008-07-09 14:52:54 +0800

ansancle gravatar image ansancle
317 9

I placed my .zul files under a zul directory and not under WEB-INF, my file structure looks like :

WebRoot
  - META-INF 
  - WEB-INF
  - zul
      - zul subdirectories and all zul files.

link publish delete flag offensive edit

answered 2008-07-10 06:53:04 +0800

pannekuche gravatar image pannekuche
42 1 1

hm, ok. i'll try this.

thanks

link publish delete flag offensive edit

answered 2013-07-05 22:25:21 +0800

rickcr gravatar image rickcr
704 7

updated 2013-07-05 22:26:55 +0800

I use a more traditional approach using a ServletFilter. All my page are under a "pages" directory.

   <filter-mapping>
    <filter-name>MySecurityFilter</filter-name>
    <url-pattern>/pages/*</url-pattern>
   </filter-mapping>

You're security filter than is something like...

public class MySecurityFilter implements Filter {

@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) servletRequest;
    HttpServletResponse response = (HttpServletResponse) servletResponse;
    HttpSession session = request.getSession(false);

    if (session == null || session.getAttribute("user") == null) {
        //redirec to login page or whatever you need to do
        //be sure login.zul resides outside of your secure pages directory 
    } else {
        filterChain.doFilter(request, response);
        return;
    }
}

You Login ViewModel/Controller would be responsible for setting the User in session

link publish delete flag offensive edit
Your reply
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow

RSS

Stats

Asked: 2008-07-09 09:17:28 +0800

Seen: 2,555 times

Last updated: Nov 07 '13

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More