"cuoz" wrote : I just noticed this thread, and am not really sure what the big issue is. My form based login page is a JSP and uses struts tags and tiles. My form action posts directly to j_security_check. | | The struts controller servlet does not enter the picture until after the authentication is complete. | | I think this would be the life cycle for my webapp: | 1. browser requests /webapp/protectedresource/mainmenu.do | 2. tomcat redirects to login page which is a jsp page that uses struts tags and tiles | 3. user logs in. post goes to j_security_check | 4. container authenticates and loads /webapp/protectedresource/mainmenu.do, which is mapped to the struts controller servlet. | 5. struts takes over from here, runs the action and forwards to the view. | | I have my struts controller mapped to *.do in my web.xml. | | If I'm missing the real issue and this doesn't help let me know. Maybe you are trying to do something additional that I'm not. | | gary.
I'm aware of the fact that this is kind of late for a follow-up, but this is the only thread (out of the other 20 I've read) that matches my JAAS/Struts problem. That having said, could you post the code for the form of your logon page? The things I don't understand are: 1. where do you put your authentication code (the LoginContext lc.login and stuff)? 2. if one were to start from a logon-page (opposing to your case, where a user tries to request a secured web-page), how would you suggest forwarding to the correct page after login was succesful? FYI, here's my scenario: I'm using Struts - tags and ActionForms - on every page. The web-application starts with a logon page. Currently I've got a LogonAction which merely checks if the username exists in a database (through an EJB layer), and if it does, forward to the main-page. I tried using FORM authentication like this: --- In login-config.xml --- | <application-policy name="ReqPoster"> | <authentication> | <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" | flag="required"> | <module-option name="usersProperties">ReqPoster-users.properties</module-option> | <module-option name="rolesProperties">ReqPoster-roles.properties</module-option> | </login-module> | </authentication> | </application-policy> | I keep the usersProperties.properties and the rolesProperties.properties files in the web.war 's /WEB-INF/classes/ directory. (Where is that defined anyway, I didn't know for sure until recently when I read some posts) --- In web.xml --- | <login-config> | <auth-method>FORM</auth-method> | <realm-name>ReqPoster</realm-name> | | <form-login-config> | <form-login-page>/pages/login.jsp</form-login-page> | <form-error-page>/pages/error.jsp</form-error-page> | </form-login-config> | | </login-config> | | <security-constraint> | <web-resource-collection> | <web-resource-name>ReqPosterWeb</web-resource-name> | <url-pattern>*.do</url-pattern> | </web-resource-collection> | <auth-constraint> | <role-name>UserRole</role-name> | <role-name>AdminRole</role-name> | </auth-constraint> | </security-constraint> | --- In login.jsp --- | <html:form action="actions/login.do" method="post"> | | <div class="formbox"> | <p> | <label for="j_username"><bean:message key="login.userPrompt" /></label><html:text styleClass="mainInput" property="j_username" styleId="user" onfocus="inputIn(this.id);" onblur="inputOut(this.id);" /> | </p> | <p> | <label for="j_password"><bean:message key="login.passwordPrompt" /></label><html:password redisplay="false" styleClass="mainInput" property="j_password" styleId="pass" onfocus="inputIn(this.id);" onblur="inputOut(this.id);"/> | </p> | <p> | <label> </label><input type="submit" id="submit" value='<bean:message key="login.submitLabel" />' /> | </p> | </div> | | </html:form> | I've got my actionform set to accept these values, but the logonAction does not redirect to the j_security_check. Instead I've got this in a filter: | public void init(FilterConfig filterConfig) throws ServletException { | this.filterConfig = filterConfig; | System.out.println("AuthenticationFilter.init()"); | configName = filterConfig.getInitParameter("configName"); | username = filterConfig.getInitParameter("username"); | String x = filterConfig.getInitParameter("password"); | if( x != null ) | password = x.toCharArray(); | handler = new UsernamePasswordHandler(username, password); | } | | public void doFilter( | ServletRequest request, | ServletResponse response, | FilterChain chain) throws IOException, ServletException { | LoginContext lc = null; | try { | System.out.println("AuthenticationFilter, login as: "+username); | lc = new LoginContext(configName, handler); | lc.login(); | } catch(LoginException e) { | throw new ServletException("Failed to perform JAAS login", e); | } | try { | chain.doFilter(request, response); | } finally { | if( lc != null ) { | try{ | System.out.println("AuthenticationFilter, logout"); | lc.logout(); | } catch(LoginException e) { | e.printStackTrace(); | } | } | } | } | --- Filter statements in web.xml --- | <filter> | <filter-name>AuthenticationFilter</filter-name> | <display-name>AuthenticationFilter</display-name> | <description><![CDATA[Checks if a session is authenticated.]]></description> | <filter-class>org.ineos.RequestPosterAdmin.filters.AuthenticationFilter</filter-class> | <init-param> | <param-name>configName</param-name> | <param-value>ReqPoster</param-value> | </init-param> | <init-param> | <param-name>username</param-name> | <param-value>test</param-value> | </init-param> | <init-param> | <param-name>password</param-name> | <param-value>ptest</param-value> | </init-param> | </filter> | | | <filter-mapping> | <filter-name>AuthenticationFilter</filter-name> | <url-pattern>*.do</url-pattern> | </filter-mapping> | If I comment out the login-config elements in web.xml and use BASIC authentication instead of FORM, it does work. Now all it does is redirect the user back to the login page. What I'm looking for is 1. to be able to use the form authentication 2. getting the user and her roles for further authorization in the future (in Struts Actions), by using the .isUserInRoles and stuff like that. Any help would be greatly appreciated. P.S.: My apologies for this late follow-up. View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3854274#3854274 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3854274 ------------------------------------------------------- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user