There are several ways to perform user validation and access control using Struts. One way is through the servlet container itself. Recent implementations of JSP servers (Tomcat 4.0.1, for example) offer an authentication technology called Realms. Realms enables you to specify servlets that should be restricted, and attach to a variety of datasources (JDBC, XML, and so on) to look up access information.
Realms, however, is a bit complicated to set up, especially in a sample application like this. Frankly, there’s really nothing wrong with the time-tested way of doing things, which is to store a flag on the session that indicates that the user has logged in, and control access based on that flag.
In fact, Struts makes this approach easier. In model I JSP processing, you need to include code at the top of each page that checks whether the user is allowed to view the page. In Struts, you can decouple this business logic from the view by putting the check in the Action that provides access to that page.
For example, take a look at the Action class for the action that provides access to the portfolio maintenance page (see Listing 8.9).
Because the Action checks whether the user is logged in before returning the mapping to the portfolio, there’s no way that a user can gain access to the portfolio page until he logs in. Even if he bookmarks the page, it will run this Action first. That’s because the user never actually sees the real URL of the JSP file, only the action.do Struts Action name.