Authentication

With Mentawai, it is very easy to implement an authentication mechanism for your web site. All the details are already taken care of by the org.mentawai.action.BaseLoginAction action and by the org.mentawai.filter.AuthenticationFilter filter.
To implement a login action, you should inherit from org.mentawai.action.BaseLoginAction, which has some useful methods like setUserSession(Object user), getUserSession() and isLogged().

For an user to be considered logged in the site, he must have a User object (or Profile, etc.) in the session. You can use the method setUserSession(Object user) for that porpouse.
Below is an example of a LoginAction to authenticate the user.

But how does mentawai prevent unauthorized access to other actions? And how does it prevent unauthorized access to jsp pages? The answer for the first question is a global authentication filter.

The Authentication Filter

Mentawai has a useful filter to enforce that an action must only be accessed by a authenticated user. This is the org.mentawai.filter.AuthenticationFilter. Below is an example of how to set up this filter in your application manager:

In the code above, we are defining a global filter and a global consequence. As you may expect, a global filter is applied to all actions, and a global consequence can be returned by all actions. Note that the consequence LOGIN is actually returnedby the AuthenticationFilter, and since this filter is applied to all actions, then every action can return this consequence.This consequence indicates that the user is not authenticated and should be redirected to the login page.

Is this global filter also affecting the LoginAction? Yes, because it is a global filter! The LoginAction should not be affected by this filter, otherwiser the user won't be able to login. The trick to solve this problem is the interface org.mentawai.filter.AuthenticationFree. If an action implements this interface, it just signs to the filter that it does not want to be blocked. The BaseLoginAction implements this interface, so the LoginAction above will work, even if you did not know that.

Whenever you need to implement an authentication-free action like for example a PasswordRecoveryAction or a HelpAction, you should implement this interface to bypass authentication. It has only the method bypassAuthentication(String innerAction) that you should implement to tell the AuthenticationFilter which inner actions you want to allow access without authentication. If your action does not have inner actions or if you want to grant access to all inner actions, then you should just return true from inside this method.

How about JSP pages? How do we protect them? The answer is the mentawai tag <mtw:requiresAuthentication />. You can place this tag on the top of every JSP page you want to protect, and it will enforce that only authenticated users will be able to see the page. Like that:

Logout

To perform a logout all you have to do is call the reset() method of an action's session context (org.mentawai.core.Context). Recall that the action's session context is automatically available to all actions that inherit from org.mentawai.core.BaseAction through a protected data member. Mentawai comes with a ready-to-use logout action called org.mentawai.action.LogoutAction. Check its code below to see how simple it is to perform a logout:

Then in the ApplicationManager you should define the page to go after a logout:

public class ApplicationManager extends org.mentawai.core.ApplicationManager {
	
    public void loadActions() {
        
        // Ruby Style
        
        filter(new AuthenticationFilter());
        on(LOGIN, redir("/login.jsp"));
        
        action("/Login", LoginAction.class)
            .on(SUCCESS, redir("/welcome.jsp"))
            .on(ERROR, fwd("/login.jsp"));
                    
        action("/Logout", LogoutAction.class)
            .on(SUCESS, redir("/index.jsp"));

// Java Style
		
        addGlobalFilter(new AuthenticationFilter());
        addGlobalConsequence(AuthenticationFilter.LOGIN, new Redirect("/login.jsp"));
        
        ActionConfig ac = new ActionConfig("/Login", LoginAction.class);
        ac.addConsequence(LoginAction.SUCCESS, new Redirect("/welcome.jsp"));
        ac.addConsequence(LoginAction.ERROR,  new Forward("/login.jsp"));
        addActionConfig(ac);
        
        ac = new ActionConfig("/Logout", LogoutAction.class);
        ac.addConsequence(LogoutAction.SUCCESS, new Redirect("/index.jsp"));
        addActionConfig(ac);
    }
}

Above we are specifying that our site will redirect to its first page after a logout, and that the logout url is http://www.yourapp.com/Logout.mtw (or http://www.yourapp.com/YOUR_CONTEXT/Logout.mtw). That's easy!

Redirect After Login

If a not-logged user tries to access the page http://www.myapp.com/ShowUser.mtw?id=10, it will be redirected to the login page. Then after he successfuly logs in, he will be taken to the welcome page. You may not want that. You may want to take him straight to the show user page. That's called a redirect after the login, and mentawai can take care of that for you.
Again we have two scenarios: redirecting back to an action (http://www.mycode.com/ShowUser.mtw?id=10) and redirecting back to a JSP page (http://www.mycode.com/hello.jsp).
The first thing we must do is to turn on a special filter for our LoginAction. This filter will check whether a redirect is needed after the LoginAction is executed and if that's the case return a REDIR consequence. Check the code below:

import org.mentawai.core.*;
import org.mentawai.filter.*;

public class ApplicationManager extends org.mentawai.core.ApplicationManager {
	
    public void loadActions() {
        
        // Ruby Style
        
        filter(new AuthenticationFilter());
        on(LOGIN, redir("/login.jsp"));
        
        action("/Login", LoginAction.class)
            .on(SUCCESS, redir("/welcome.jsp"))
            .on(ERROR, fwd("/login.jsp"))
            
            .filter(new RedirectAflterLogin())
            .on(REDIR, redir());

action("/Logout", LogoutAction.class)
            .on(SUCESS, redir("/index.jsp"));
            
        // Java Style
		
        addGlobalFilter(new AuthenticationFilter());
        addGlobalConsequence(AuthenticationFilter.LOGIN, new Redirect("/login.jsp"));
        
        ActionConfig ac = new ActionConfig("Login", Login.class);
        ac.addConsequence(Login.SUCCESS, new Redirect("/welcome.jsp"));
        ac.addConsequence(Login.ERROR,  new Forward("/login.jsp"));
        addActionConfig(ac);
        
        ac.addFilter(new RedirectAfterLoginFilter());
        ac.addConsequence(RedirectAfterLoginFilter.REDIR, new Redirect());
        
        ac = new ActionConfig("/Logout", LogoutAction.class);
        acConsequence.add(LogoutAction.SUCCESS, new Redirect("/index.jsp"));
        addActionConfig(ac);
    }
}

The filter we are using for the LoginAction is the org.mentawai.filter.RedirectAfterLoginFilter. It can force the action to return a REDIR consequence, which is a dynamic redirect for the first page the user tried to access.

By default, all actions and JSP pages will not redirect after the login. To turn on redirect after login for an action, you must implement the interface org.mentawai.filter.RedirectAfterLogin which has only one method: shouldRedirect(String innerAction). You should return true for the inner actions you want to allow a redirect after login. For JSP pages it is even easier: just use the redir attribute of the mtw:requiresAuthentication /> tag.