With Mentawai, it is easy to implement an authentication mechanism for your web site. All the details are already taken care of by the BaseLoginAction and by the AuthenticationFilter, both provided by Mentawai.
Creating the login action:
public class LoginAction extends BaseLoginAction { public String execute() throws Exception { String user = input.getString("username"); String pass = input.getString("password"); if (user == null || user.trim().equals("")) { return ERROR; } if (pass == null || pass.trim().equals("")) { return ERROR; } if (!user.equals("saoj") || !pass.equals("abc123")) { return ERROR; } setSessionObj(user); return SUCCESS; } }
Once you call setSessionObj the user is considered logged until the session is invalidated (when the reset method is called or when the session times out).
Setting up the authentication filter and the login action in the application manager:
@Override public void loadFilters() { filter(new AuthenticationFilter()); on(LOGIN, redir("/jsp/login.jsp")); } @Override public void loadActions() { action("/Login", LoginAction.class) // Note: No method defined so execute() method from the action will be assumed .on(SUCCESS, redir("/jsp/welcome.jsp")) .on(ERROR, fwd("/jsp/login.jsp")); }
Protecting action access from unauthorized requests:
When you add the authentication filter as a global filter, all the actions will automatically require authentication before any one of them is execute. However some actions are meant NOT to have authentication. For example: registration, any front page action, the login action itself, etc. To bypass authentication for these special cases you can do:
action("/User", UserAction.class, "add") .bypassAuthentication() .on(ERROR, fwd("/jsp/user/add.jsp")) .on(CREATED, fwd("/jsp/index.jsp"));
TIP: Although you can do the same thing for the LoginAction, it is not required because the BaseLoginAction implements the AuthenticationFree interface. That's another way of signaling to the controller that a action wants to bypass authentication.
Protecting JSP pages from unauthorized access:
A request can be made straight to a JSP page bypassing the Mentawai controller. To block access to some JSP pages that require authentication you can use the following menta tag:
<%@ page contentType="text/html; charset=UTF-8"%> <%@taglib prefix="mtw" uri="http://www.mentaframework.org/tags-mtw/"%> <mtw:requiresAuthentication /> <html> <body> <h2>You must be logged to see this!</h2> </body> </html>
Logging out:
For logging out you can just use the LogoutAction, provided by Mentawai.
// License goes here... package org.mentawai.action; import org.mentawai.core.BaseAction; import org.mentawai.filter.AuthenticationFree; /** * A simple Logout action that can be used fot user logout. * This action just calls the session <i>reset()</i> method, to clear the session. * * @author Sergio Oliveira */ public class LogoutAction extends BaseAction implements AuthenticationFree { /** * Implements the actual logout. * This method simply calls the session <i>reset()</i> method, to clean the session. * You may override this method if you want to do other operations when the user logs out. */ protected void logout() { session.reset(); } public String execute() throws Exception { logout(); return SUCCESS; } @Override public boolean bypassAuthentication(String innerAction) { return true; } }
And you can configure in the application manager:
action("/Logout", LogoutAction.class) // Note: No method configured so execute() will be used .on(SUCESS, redir("/jsp/index.jsp"));
NOTE: Again you don't need to mark the action with bypassAuthentication() because the LogoutAction implements AuthenticationFree.
Redirecting to a page after the login is successfully done:
To send the client back to the original page he first landed while NOT authenticated, you can do:
action("/User", UserAction.class, "edit") .comeBackAfterLogin() .on(ERROR, fwd("/jsp/user/edit.jsp")) .on(SHOW, fwd("/jsp/user/edit.jsp")) .on(UPDATED, fwd("/jsp/index.jsp"));
If you want to do the same thing for a JSP page that can be accessed directed by the browser without going through the Mentawai controller, you can pass the redir attribute to the requiresAuthentication menta tag:
<%@ page contentType="text/html; charset=UTF-8"%> <%@taglib prefix="mtw" uri="http://www.mentaframework.org/tags-mtw/"%> <mtw:requiresAuthentication redir="true" /> <html> <body> <h2>You must be logged to see this!</h2> </body> </html>