Re: How To Work Out This Action Mapping?
Caroline Jen wrote: To answer your questions: 1. The LOGON button links to a forward: html:link forward=logonLOGON/html:link and in my struts-config.xml, I have forward name=logon path=/do/admin/Menu/ Well, that's the first problem ... security constraints are only applied on an original request from the client, not on a forward. You'll need to add redirect=true to this, in order to get the client to request it. 2. the security-constraint in my web-xml is: security-constraint web-resource-collection web-resource-nameAdministrative/web-resource-name !-- The URLs to protect -- url-pattern/do/admin/*/url-pattern /web-resource-collection auth-constraint !-- The authorized users -- role-nameadministrator/role-name role-namecontributor/role-name /auth-constraint /security-constraint By the way, there is another problem -- after the insertion of the security-constraint, the application totally stops functioning. No welcome page displayed. In the browser, I have HTTP Status 404 -/PracticeVersion description: The requested resource(/PracticeVersion) is not availabe. and in the Tomcat log file, I have: LifecycleException: Container StandardContext[/PracticeVersion] has not been started That means you did not obey the required element order in the web.xml file. You'll undoubtedly see a stack trace in the log files that talks about an XML parsing error. The correct order is defined by the DTD for web.xml files. Among other places, you'll find a copy of the DTDs for Servlet 2.2 and Servlet 2.3 in the lib directory of your Struts distribution. Open either web_app_2_2.dtd or web_app_2_3.dtd (depending on which version you're using) and look for the line that starts !ELEMENT webapp The list of element names in parentheses is the required order for elements in your own web.xml files. Thereafter, I deleted the security-constraint element from the web.xml file. I have the welcome page displayed. After I click on the LOGON button in the welcome page, the welcome page remains in the browser. The logon.jsp, which collects j-username, j_password, does not get displayed and http://localhost:8080/PracticeVersion/do/admin/Menu shows in the address bar. Change your forward to add redirect=true and put the security constraint in the correct order, and you should be good to go. --Caroline Craig --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: Thank you very much for the detailed explanation. Yet, I still have hard time to make my application work -- I am able to display the welcome page (no problem). And I have http://localhost:8080/PracticeVersion/do/Menu;jsessionid=0A6E76A8F3E849BC8DAAC45BFB72F72E in the address bar. However, after I click on the LOGON button in the welcome page, the welcome page Where does this LOGON button submit to? If it submits to j_security_check, you are doing this wrong. It should submit to some resource that is protected by a security constraint. remains in the browser. The logon.jsp, which collects j-username, j_passwor, does not get displayed and http://localhost:8080/PracticeVersion/do/admin/Menu shows in the address bar. I do not know what went wrong. Could it be that the JDBCRealm is not configured correctly? Because the LOGON button links to a forward: html:link forward=logonLOGON/html:link and in my struts-config.xml, I have forward name=logon path=/do/admin/Menu/ The /do/admin/Menu is my protected resources. I keep it unchanged. It's only protected if it's listed in a security-constraint in web.xml. 1. I configured the Tomcat JDBCRealm and prepared the users table, user-roles table according the instructions found at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html Which Realm you use does not make any difference. 2. Because I want to use FORM based container managed authentication, I inserted login-config auth-methodFORM/auth-method form-login-config form-login-page/signin/logon.jsp/form-login-page form-error-page/signin/logon.jsp?error=true/form-error-page /form-login-config /login-config in the web.xml file. What does your security-constraint in web.xml look like? This is the critical ingredient. 3. I put logon.jsp in the ApplicationRoot/signin folder. Here is the code of the logon.jsp (I took out all the Struts tags) and I know the code works well because I have tested it: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTML HEAD TITLEContainer Managed Authentication/TITLE /HEAD BODY H1Sign in, Please/H1 HR FORM action=j_security_check method=post focus=j_username TABLE border=0 width=50% cellspacing=3 cellpadding=2 TR TH align=rightUser Name:/TH TD align=leftINPUT TYPE=text
Re: How To Work Out This Action Mapping?
Craig, thank you for your very strong support in the past day or two to guide me through problems with the container-managed authentication. I looked at my web.xml file again and again. There is nothing wrong with the order of the elements in that file. And there is no stack trace in the log files that talks about an XML parsing error. I did some experiments. I found that as long as I have the JDBCRealm in the $TOMCAT_HOME/conf/server.xml, the Tomcat does not accept security-constraint element in the application's web.xml file. And the Tomcat gives me the required resouce /MyApplication is not availabel HTTP Status 404. Have you seen this kind of problem before? I have posted the question at the tomcat-user discussion forum. --Caroline --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: To answer your questions: 1. The LOGON button links to a forward: html:link forward=logonLOGON/html:link and in my struts-config.xml, I have forward name=logon path=/do/admin/Menu/ Well, that's the first problem ... security constraints are only applied on an original request from the client, not on a forward. You'll need to add redirect=true to this, in order to get the client to request it. 2. the security-constraint in my web-xml is: security-constraint web-resource-collection web-resource-nameAdministrative/web-resource-name !-- The URLs to protect -- url-pattern/do/admin/*/url-pattern /web-resource-collection auth-constraint !-- The authorized users -- role-nameadministrator/role-name role-namecontributor/role-name /auth-constraint /security-constraint By the way, there is another problem -- after the insertion of the security-constraint, the application totally stops functioning. No welcome page displayed. In the browser, I have HTTP Status 404 -/PracticeVersion description: The requested resource(/PracticeVersion) is not availabe. and in the Tomcat log file, I have: LifecycleException: Container StandardContext[/PracticeVersion] has not been started That means you did not obey the required element order in the web.xml file. You'll undoubtedly see a stack trace in the log files that talks about an XML parsing error. The correct order is defined by the DTD for web.xml files. Among other places, you'll find a copy of the DTDs for Servlet 2.2 and Servlet 2.3 in the lib directory of your Struts distribution. Open either web_app_2_2.dtd or web_app_2_3.dtd (depending on which version you're using) and look for the line that starts !ELEMENT webapp The list of element names in parentheses is the required order for elements in your own web.xml files. Thereafter, I deleted the security-constraint element from the web.xml file. I have the welcome page displayed. After I click on the LOGON button in the welcome page, the welcome page remains in the browser. The logon.jsp, which collects j-username, j_password, does not get displayed and http://localhost:8080/PracticeVersion/do/admin/Menu shows in the address bar. Change your forward to add redirect=true and put the security constraint in the correct order, and you should be good to go. --Caroline Craig --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: Thank you very much for the detailed explanation. Yet, I still have hard time to make my application work -- I am able to display the welcome page (no problem). And I have http://localhost:8080/PracticeVersion/do/Menu;jsessionid=0A6E76A8F3E849BC8DAAC45BFB72F72E in the address bar. However, after I click on the LOGON button in the welcome page, the welcome page Where does this LOGON button submit to? If it submits to j_security_check, you are doing this wrong. It should submit to some resource that is protected by a security constraint. remains in the browser. The logon.jsp, which collects j-username, j_passwor, does not get displayed and http://localhost:8080/PracticeVersion/do/admin/Menu shows in the address bar. I do not know what went wrong. Could it be that the JDBCRealm is not configured correctly? Because the LOGON button links to a forward: html:link forward=logonLOGON/html:link and in my struts-config.xml, I have forward name=logon path=/do/admin/Menu/ The /do/admin/Menu is my protected resources. I keep it unchanged. It's only protected if it's listed in a security-constraint in web.xml. 1. I configured the Tomcat JDBCRealm and prepared the users table, user-roles table according the instructions found at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
How To Work Out This Action Mapping?
Because there is such a statement (shown below) in my signinForm.jsp: html:form action=j_security_check method=post focus=j_username I put action name=j_security_check path=/do/admin/Menu/ in my struts-config.xml file. When I ran the application, I got: [ServletException in:/article/content/signinForm.jsp] Cannot retrieve mapping for action /j_security_check' I know that I did not specify the action properly. What is the correct way to do it? __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How To Work Out This Action Mapping?
I think you may be doing two things wrong: 1. j_security_check is a special URL. If you have a security realm defined in your web application, and authentication method specified as FORM, then the container will automatically forward any requests for protected resources to a configurable login form. This login form collects the username and password, and posts to this special URL; the post to j_security_check gets intercepted by your servlet container, which performs Container Managed Authentication - it looks for the j_username and j_password, authenticates the combination, and forwards to the originally requested resource, or to a configurable error page if the authentication fails. All this to say that you can not map an action to j_security_check. Furthermore, you can't even aggressively authenticate using CMA (Container Managed Authentication) - if you go directly to your login page (without being forwarded there by you container), and try to submit the form, you'll get an error. 2. If you were trying to map a legitimate URL, then you'd have your action properties wrong. action path=/someLegitimatePath type=your.action.class name=name of a previously defined ActionForm if needed for this action /action HTH, -Sasha On 10/10/03 20:21, Caroline Jen [EMAIL PROTECTED] wrote: Because there is such a statement (shown below) in my signinForm.jsp: html:form action=j_security_check method=post focus=j_username I put action name=j_security_check path=/do/admin/Menu/ in my struts-config.xml file. When I ran the application, I got: [ServletException in:/article/content/signinForm.jsp] Cannot retrieve mapping for action /j_security_check' I know that I did not specify the action properly. What is the correct way to do it? __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How To Work Out This Action Mapping?
Thank you for your reply. I am using container managed authentication. My problem is how to go from j_security_check back to my Struts framework. I have my Tomcat JDBCRealm configured and users, user_roles tables prepared in the database. In my struts-config.xml file, I did this forward when users click on the LOGON button: forward name=logon path=/signin/logon.jsp/ and in my web.xml file, I have: login-config auth-methodFORM/auth-method form-login-config form-login-page/signin/logon.jsp/form-login-page form-error-page/signin/logon.jsp?error=true/form-error-page /form-login-config /login-config The Tomcat server found the signinForm.jsp through the /signin/logon.jsp without problem. and my signinForm.jsp is correctly prepared: %@ taglib uri=/tags/struts-html prefix=html % HTML HEAD TITLEContainer Managed Authentication/TITLE /HEAD BODY html:errors/ html:form action=j_security_check method=post focus=j_username TABLE border=0 width=100% TR TH align=rightUser Name:/TH TD align=lefthtml:text property=j_username size=25//TD /TR TR TH align=rightPassword:/TH TD align=lefthtml:password property=j_password size=10//TD /TR TR TD align=righthtml:submit//TD TD align=lefthtml:reset//TD /TR /TABLE /html:form /BODY /HTML --Caroline --- Sasha Borodin [EMAIL PROTECTED] wrote: I think you may be doing two things wrong: 1. j_security_check is a special URL. If you have a security realm defined in your web application, and authentication method specified as FORM, then the container will automatically forward any requests for protected resources to a configurable login form. This login form collects the username and password, and posts to this special URL; the post to j_security_check gets intercepted by your servlet container, which performs Container Managed Authentication - it looks for the j_username and j_password, authenticates the combination, and forwards to the originally requested resource, or to a configurable error page if the authentication fails. All this to say that you can not map an action to j_security_check. Furthermore, you can't even aggressively authenticate using CMA (Container Managed Authentication) - if you go directly to your login page (without being forwarded there by you container), and try to submit the form, you'll get an error. 2. If you were trying to map a legitimate URL, then you'd have your action properties wrong. action path=/someLegitimatePath type=your.action.class name=name of a previously defined ActionForm if needed for this action /action HTH, -Sasha On 10/10/03 20:21, Caroline Jen [EMAIL PROTECTED] wrote: Because there is such a statement (shown below) in my signinForm.jsp: html:form action=j_security_check method=post focus=j_username I put action name=j_security_check path=/do/admin/Menu/ in my struts-config.xml file. When I ran the application, I got: [ServletException in:/article/content/signinForm.jsp] Cannot retrieve mapping for action /j_security_check' I know that I did not specify the action properly. What is the correct way to do it? __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How To Work Out This Action Mapping?
Caroline Jen wrote: Thank you for your reply. I am using container managed authentication. My problem is how to go from j_security_check back to my Struts framework. That turns out to not be your problem ... that is the container's problem. The key thing to remember is that the user should never access your login page (whatever it's URL is) directly. Instead, form-based login is triggered the first time that an unauthenticated user requests a URL that is protected by a security constraint. What happens next goes like this: (1) Unauthenticated user requests a protected resource (*NOT* the login page!) (2) Container remembers the protected resource that was requested in a private variable. (3) Container displays the login page, which must have a destination of j_security_check, and waits for the user submit. For some containers, including Tomcat, this is the one-and-only time that submitting to j_security_check will not return a 404. (4) User enters username and password, and presses the submit button. (5) Container authenticates the username and password combination. If valid, container recalls the resource saved in (2) and displays *that* to the user in response to the login submit. If this doesn't make sense, temporarily switch your app to use BASIC authentication instead, and walk through the process. The user experience will be identical except that the login page will be a popup dialog box instead of your configured login page. (Technically, it's different in one other respect -- it's the *browser* that does the remembering in step (2) and the restoring in step (5), but the user doesn't know that). The important point is that, at no time, did anyone ever submit a request to the URL of the login page, because there is no such thing when using BASIC authentication. You should pretend there is no such thing when using form based login, also; think of the login page as part of the container, not part of your app. In answer to your original question, the simplest thing to do on a login page is just use the standard HTML form element instead of the Struts html:form tag. Then, you can just say: form method=POST action=j_security_check ... /form Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How To Work Out This Action Mapping?
Thank you very much for the detailed explanation. Yet, I still have hard time to make my application work -- I am able to display the welcome page (no problem). And I have http://localhost:8080/PracticeVersion/do/Menu;jsessionid=0A6E76A8F3E849BC8DAAC45BFB72F72E in the address bar. However, after I click on the LOGON button in the welcome page, the welcome page remains in the browser. The logon.jsp, which collects j-username, j_passwor, does not get displayed and http://localhost:8080/PracticeVersion/do/admin/Menu shows in the address bar. I do not know what went wrong. Could it be that the JDBCRealm is not configured correctly? Because the LOGON button links to a forward: html:link forward=logonLOGON/html:link and in my struts-config.xml, I have forward name=logon path=/do/admin/Menu/ The /do/admin/Menu is my protected resources. I keep it unchanged. 1. I configured the Tomcat JDBCRealm and prepared the users table, user-roles table according the instructions found at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html 2. Because I want to use FORM based container managed authentication, I inserted login-config auth-methodFORM/auth-method form-login-config form-login-page/signin/logon.jsp/form-login-page form-error-page/signin/logon.jsp?error=true/form-error-page /form-login-config /login-config in the web.xml file. 3. I put logon.jsp in the ApplicationRoot/signin folder. Here is the code of the logon.jsp (I took out all the Struts tags) and I know the code works well because I have tested it: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTML HEAD TITLEContainer Managed Authentication/TITLE /HEAD BODY H1Sign in, Please/H1 HR FORM action=j_security_check method=post focus=j_username TABLE border=0 width=50% cellspacing=3 cellpadding=2 TR TH align=rightUser Name:/TH TD align=leftINPUT TYPE=text NAME=j_username SIZE=25//TD /TR TR TH align=rightPassword:/TH TD align=leftINPUT TYPE=password NAME=j_password SIZE=10//TD /TR TR TD align=rightINPUT TYPE=submit VALUE=Submit/TD TD align=leftINPUT TYPE=reset VALUE=Reset/TD /TR /TABLE /FORM /BODY --Caroline --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: Thank you for your reply. I am using container managed authentication. My problem is how to go from j_security_check back to my Struts framework. That turns out to not be your problem ... that is the container's problem. The key thing to remember is that the user should never access your login page (whatever it's URL is) directly. Instead, form-based login is triggered the first time that an unauthenticated user requests a URL that is protected by a security constraint. What happens next goes like this: (1) Unauthenticated user requests a protected resource (*NOT* the login page!) (2) Container remembers the protected resource that was requested in a private variable. (3) Container displays the login page, which must have a destination of j_security_check, and waits for the user submit. For some containers, including Tomcat, this is the one-and-only time that submitting to j_security_check will not return a 404. (4) User enters username and password, and presses the submit button. (5) Container authenticates the username and password combination. If valid, container recalls the resource saved in (2) and displays *that* to the user in response to the login submit. If this doesn't make sense, temporarily switch your app to use BASIC authentication instead, and walk through the process. The user experience will be identical except that the login page will be a popup dialog box instead of your configured login page. (Technically, it's different in one other respect -- it's the *browser* that does the remembering in step (2) and the restoring in step (5), but the user doesn't know that). The important point is that, at no time, did anyone ever submit a request to the URL of the login page, because there is no such thing when using BASIC authentication. You should pretend there is no such thing when using form based login, also; think of the login page as part of the container, not part of your app. In answer to your original question, the simplest thing to do on a login page is just use the standard HTML form element instead of the Struts html:form tag. Then, you can just say: form method=POST action=j_security_check ... /form Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail:
Re: How To Work Out This Action Mapping?
Caroline Jen wrote: Thank you very much for the detailed explanation. Yet, I still have hard time to make my application work -- I am able to display the welcome page (no problem). And I have http://localhost:8080/PracticeVersion/do/Menu;jsessionid=0A6E76A8F3E849BC8DAAC45BFB72F72E in the address bar. However, after I click on the LOGON button in the welcome page, the welcome page Where does this LOGON button submit to? If it submits to j_security_check, you are doing this wrong. It should submit to some resource that is protected by a security constraint. remains in the browser. The logon.jsp, which collects j-username, j_passwor, does not get displayed and http://localhost:8080/PracticeVersion/do/admin/Menu shows in the address bar. I do not know what went wrong. Could it be that the JDBCRealm is not configured correctly? Because the LOGON button links to a forward: html:link forward=logonLOGON/html:link and in my struts-config.xml, I have forward name=logon path=/do/admin/Menu/ The /do/admin/Menu is my protected resources. I keep it unchanged. It's only protected if it's listed in a security-constraint in web.xml. 1. I configured the Tomcat JDBCRealm and prepared the users table, user-roles table according the instructions found at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html Which Realm you use does not make any difference. 2. Because I want to use FORM based container managed authentication, I inserted login-config auth-methodFORM/auth-method form-login-config form-login-page/signin/logon.jsp/form-login-page form-error-page/signin/logon.jsp?error=true/form-error-page /form-login-config /login-config in the web.xml file. What does your security-constraint in web.xml look like? This is the critical ingredient. 3. I put logon.jsp in the ApplicationRoot/signin folder. Here is the code of the logon.jsp (I took out all the Struts tags) and I know the code works well because I have tested it: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTML HEAD TITLEContainer Managed Authentication/TITLE /HEAD BODY H1Sign in, Please/H1 HR FORM action=j_security_check method=post focus=j_username TABLE border=0 width=50% cellspacing=3 cellpadding=2 TR TH align=rightUser Name:/TH TD align=leftINPUT TYPE=text NAME=j_username SIZE=25//TD /TR TR TH align=rightPassword:/TH TD align=leftINPUT TYPE=password NAME=j_password SIZE=10//TD /TR TR TD align=rightINPUT TYPE=submit VALUE=Submit/TD TD align=leftINPUT TYPE=reset VALUE=Reset/TD /TR /TABLE /FORM /BODY --Caroline Craig --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: Thank you for your reply. I am using container managed authentication. My problem is how to go from j_security_check back to my Struts framework. That turns out to not be your problem ... that is the container's problem. The key thing to remember is that the user should never access your login page (whatever it's URL is) directly. Instead, form-based login is triggered the first time that an unauthenticated user requests a URL that is protected by a security constraint. What happens next goes like this: (1) Unauthenticated user requests a protected resource (*NOT* the login page!) (2) Container remembers the protected resource that was requested in a private variable. (3) Container displays the login page, which must have a destination of j_security_check, and waits for the user submit. For some containers, including Tomcat, this is the one-and-only time that submitting to j_security_check will not return a 404. (4) User enters username and password, and presses the submit button. (5) Container authenticates the username and password combination. If valid, container recalls the resource saved in (2) and displays *that* to the user in response to the login submit. If this doesn't make sense, temporarily switch your app to use BASIC authentication instead, and walk through the process. The user experience will be identical except that the login page will be a popup dialog box instead of your configured login page. (Technically, it's different in one other respect -- it's the *browser* that does the remembering in step (2) and the restoring in step (5), but the user doesn't know that). The important point is that, at no time, did anyone ever submit a request to the URL of the login page, because there is no such thing when using BASIC authentication. You should pretend there is no such thing when using form based login, also; think of the login page as part of the container, not part of your app. In answer to your original question, the simplest thing to do on a login page is just use the standard HTML form element instead of the Struts html:form tag. Then, you can just say: form method=POST action=j_security_check ... /form Craig
Re: How To Work Out This Action Mapping?
To answer your questions: 1. The LOGON button links to a forward: html:link forward=logonLOGON/html:link and in my struts-config.xml, I have forward name=logon path=/do/admin/Menu/ 2. the security-constraint in my web-xml is: security-constraint web-resource-collection web-resource-nameAdministrative/web-resource-name !-- The URLs to protect -- url-pattern/do/admin/*/url-pattern /web-resource-collection auth-constraint !-- The authorized users -- role-nameadministrator/role-name role-namecontributor/role-name /auth-constraint /security-constraint By the way, there is another problem -- after the insertion of the security-constraint, the application totally stops functioning. No welcome page displayed. In the browser, I have HTTP Status 404 -/PracticeVersion description: The requested resource(/PracticeVersion) is not availabe. and in the Tomcat log file, I have: LifecycleException: Container StandardContext[/PracticeVersion] has not been started Thereafter, I deleted the security-constraint element from the web.xml file. I have the welcome page displayed. After I click on the LOGON button in the welcome page, the welcome page remains in the browser. The logon.jsp, which collects j-username, j_password, does not get displayed and http://localhost:8080/PracticeVersion/do/admin/Menu shows in the address bar. --Caroline --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: Thank you very much for the detailed explanation. Yet, I still have hard time to make my application work -- I am able to display the welcome page (no problem). And I have http://localhost:8080/PracticeVersion/do/Menu;jsessionid=0A6E76A8F3E849BC8DAAC45BFB72F72E in the address bar. However, after I click on the LOGON button in the welcome page, the welcome page Where does this LOGON button submit to? If it submits to j_security_check, you are doing this wrong. It should submit to some resource that is protected by a security constraint. remains in the browser. The logon.jsp, which collects j-username, j_passwor, does not get displayed and http://localhost:8080/PracticeVersion/do/admin/Menu shows in the address bar. I do not know what went wrong. Could it be that the JDBCRealm is not configured correctly? Because the LOGON button links to a forward: html:link forward=logonLOGON/html:link and in my struts-config.xml, I have forward name=logon path=/do/admin/Menu/ The /do/admin/Menu is my protected resources. I keep it unchanged. It's only protected if it's listed in a security-constraint in web.xml. 1. I configured the Tomcat JDBCRealm and prepared the users table, user-roles table according the instructions found at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html Which Realm you use does not make any difference. 2. Because I want to use FORM based container managed authentication, I inserted login-config auth-methodFORM/auth-method form-login-config form-login-page/signin/logon.jsp/form-login-page form-error-page/signin/logon.jsp?error=true/form-error-page /form-login-config /login-config in the web.xml file. What does your security-constraint in web.xml look like? This is the critical ingredient. 3. I put logon.jsp in the ApplicationRoot/signin folder. Here is the code of the logon.jsp (I took out all the Struts tags) and I know the code works well because I have tested it: !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN HTML HEAD TITLEContainer Managed Authentication/TITLE /HEAD BODY H1Sign in, Please/H1 HR FORM action=j_security_check method=post focus=j_username TABLE border=0 width=50% cellspacing=3 cellpadding=2 TR TH align=rightUser Name:/TH TD align=leftINPUT TYPE=text NAME=j_username SIZE=25//TD /TR TR TH align=rightPassword:/TH TD align=leftINPUT TYPE=password NAME=j_password SIZE=10//TD /TR TR TD align=rightINPUT TYPE=submit VALUE=Submit/TD TD align=leftINPUT TYPE=reset VALUE=Reset/TD /TR /TABLE /FORM /BODY --Caroline Craig --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: Thank you for your reply. I am using container managed authentication. My problem is how to go from j_security_check back to my Struts framework. That turns out to not be your problem ... that is the container's problem. The key thing to remember is that the user should never access your login page (whatever it's URL is) directly. Instead, form-based login is triggered the first time that an unauthenticated user requests a URL that is protected by a security constraint. What happens next goes like this: (1) Unauthenticated user requests a protected resource (*NOT* the login page!)