"cuoz" wrote : I just noticed this thread, and am not really sure what the big
issue is. My form based login page is a JSP and uses struts tags and tiles.
My form action posts directly to j_security_check.
|
| The struts controller servlet does not enter the picture until after the
authentication is complete.
|
| I think this would be the life cycle for my webapp:
| 1. browser requests /webapp/protectedresource/mainmenu.do
| 2. tomcat redirects to login page which is a jsp page that uses struts
tags and tiles
| 3. user logs in. post goes to j_security_check
| 4. container authenticates and loads
/webapp/protectedresource/mainmenu.do, which is mapped to the struts controller
servlet.
| 5. struts takes over from here, runs the action and forwards to the view.
|
| I have my struts controller mapped to *.do in my web.xml.
|
| If I'm missing the real issue and this doesn't help let me know. Maybe you
are trying to do something additional that I'm not.
|
| gary.
I'm aware of the fact that this is kind of late for a follow-up, but this is
the only thread (out of the other 20 I've read) that matches my JAAS/Struts
problem.
That having said, could you post the code for the form of your logon page?
The things I don't understand are:
1. where do you put your authentication code (the LoginContext lc.login and
stuff)?
2. if one were to start from a logon-page (opposing to your case, where a user
tries to request a secured web-page), how would you suggest forwarding to the
correct page after login was succesful?
FYI, here's my scenario:
I'm using Struts - tags and ActionForms - on every page.
The web-application starts with a logon page.
Currently I've got a LogonAction which merely checks if the username exists in
a database (through an EJB layer), and if it does, forward to the main-page.
I tried using FORM authentication like this:
--- In login-config.xml ---
| <application-policy name="ReqPoster">
| <authentication>
| <login-module
code="org.jboss.security.auth.spi.UsersRolesLoginModule"
| flag="required">
| <module-option
name="usersProperties">ReqPoster-users.properties</module-option>
| <module-option
name="rolesProperties">ReqPoster-roles.properties</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
I keep the usersProperties.properties and the rolesProperties.properties files
in the web.war 's /WEB-INF/classes/ directory. (Where is that defined anyway, I
didn't know for sure until recently when I read some posts)
--- In web.xml ---
| <login-config>
| <auth-method>FORM</auth-method>
| <realm-name>ReqPoster</realm-name>
|
| <form-login-config>
| <form-login-page>/pages/login.jsp</form-login-page>
| <form-error-page>/pages/error.jsp</form-error-page>
| </form-login-config>
|
| </login-config>
|
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>ReqPosterWeb</web-resource-name>
| <url-pattern>*.do</url-pattern>
| </web-resource-collection>
| <auth-constraint>
| <role-name>UserRole</role-name>
| <role-name>AdminRole</role-name>
| </auth-constraint>
| </security-constraint>
|
--- In login.jsp ---
| <html:form action="actions/login.do" method="post">
|
| <div class="formbox">
| <p>
| <label for="j_username"><bean:message key="login.userPrompt"
/></label><html:text styleClass="mainInput" property="j_username"
styleId="user" onfocus="inputIn(this.id);" onblur="inputOut(this.id);" />
| </p>
| <p>
| <label for="j_password"><bean:message
key="login.passwordPrompt" /></label><html:password redisplay="false"
styleClass="mainInput" property="j_password" styleId="pass"
onfocus="inputIn(this.id);" onblur="inputOut(this.id);"/>
| </p>
| <p>
| <label> </label><input type="submit" id="submit"
value='<bean:message key="login.submitLabel" />' />
| </p>
| </div>
|
| </html:form>
|
I've got my actionform set to accept these values, but the logonAction does not
redirect to the j_security_check.
Instead I've got this in a filter:
| public void init(FilterConfig filterConfig) throws ServletException {
| this.filterConfig = filterConfig;
| System.out.println("AuthenticationFilter.init()");
| configName = filterConfig.getInitParameter("configName");
| username = filterConfig.getInitParameter("username");
| String x = filterConfig.getInitParameter("password");
| if( x != null )
| password = x.toCharArray();
| handler = new UsernamePasswordHandler(username, password);
| }
|
| public void doFilter(
| ServletRequest request,
| ServletResponse response,
| FilterChain chain) throws IOException, ServletException {
| LoginContext lc = null;
| try {
| System.out.println("AuthenticationFilter, login as:
"+username);
| lc = new LoginContext(configName, handler);
| lc.login();
| } catch(LoginException e) {
| throw new ServletException("Failed to perform JAAS
login", e);
| }
| try {
| chain.doFilter(request, response);
| } finally {
| if( lc != null ) {
| try{
|
System.out.println("AuthenticationFilter, logout");
| lc.logout();
| } catch(LoginException e) {
| e.printStackTrace();
| }
| }
| }
| }
|
--- Filter statements in web.xml ---
| <filter>
| <filter-name>AuthenticationFilter</filter-name>
| <display-name>AuthenticationFilter</display-name>
| <description><![CDATA[Checks if a session is
authenticated.]]></description>
|
<filter-class>org.ineos.RequestPosterAdmin.filters.AuthenticationFilter</filter-class>
| <init-param>
| <param-name>configName</param-name>
| <param-value>ReqPoster</param-value>
| </init-param>
| <init-param>
| <param-name>username</param-name>
| <param-value>test</param-value>
| </init-param>
| <init-param>
| <param-name>password</param-name>
| <param-value>ptest</param-value>
| </init-param>
| </filter>
|
|
| <filter-mapping>
| <filter-name>AuthenticationFilter</filter-name>
| <url-pattern>*.do</url-pattern>
| </filter-mapping>
|
If I comment out the login-config elements in web.xml and use BASIC
authentication instead of FORM, it does work. Now all it does is redirect the
user back to the login page.
What I'm looking for is
1. to be able to use the form authentication
2. getting the user and her roles for further authorization in the future (in
Struts Actions), by using the .isUserInRoles and stuff like that.
Any help would be greatly appreciated.
P.S.: My apologies for this late follow-up.
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3854274#3854274
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3854274
-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
