RE: How does ActionForm data pass through container called form based login page?
I'll be very interested to here the outcome... Thanks Martin -Original Message- From: Pady Srinivasan [mailto:[EMAIL PROTECTED] Sent: 26 March 2004 16:07 To: Struts Users Mailing List Subject: RE: How does ActionForm data pass through container called form based login page? We were going to implement this today or early next week :-)...looking at the code, I feel you don't need to extend ActionServlet at all. Instead the filter will create the request before forwarding to the ActionServlet. public class LoginFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest)request; ServletContext context = filterConfig.getServletContext(); If ( !loggedIn ) { // save all parameters to session // save current URI as REDIRECT_URI in session // redirect to login action } else if ( redirectUriIsSet ) { RedirectServletRequest newreq = new RedirectServletRequest(request); Chain.doFilter(newreq, response); } } Thanks -- pady [EMAIL PROTECTED] -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 10:35 AM To: 'Struts Users Mailing List' Subject: RE: How does ActionForm data pass through container called form based login page? Paddy, Looks like you've been here before!! :-) It'll take me a bit of time to digest this, but I'll have a look. Does this actually work for you? Thanks Martin -Original Message- From: Pady Srinivasan [mailto:[EMAIL PROTECTED] Sent: 26 March 2004 15:21 To: Struts Users Mailing List Subject: RE: How does ActionForm data pass through container called form based login page? This is the only solution I can think of: public class RedirectServletRequest extends HttpServletRequest { public RedirectServletRequest(HttpServletRequest req) { this.request = req; } public String getParameter(String name) { if ( request.getParameter(name) == null ) { String paramVal = (String)request.getSession(). getAttribute("TEMP_SAVED_PARAM"); request.getSession().removeAttribute("TEMP_SAVED_PARAM"); return paramVal; } return (String)request.getParameter(name); } // override all other methods using the delegate request } public class RedirectActionServlet extends ActionServlet { public void doPost(HttpServletRequest request, ...) { process(new RedirectActionServlet(request), response); } public void doGet(HttpServletRequest request, ...) { process(new RedirectActionServlet(request), response); } } public class LoginFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest)request; ServletContext context = filterConfig.getServletContext(); If ( !loggedIn ) { // save all parameters to session // save current URI as REDIRECT_URI in session // redirect to login action } } public class LoginAction extends Action { public void execute(...) { // do login // login success // redirect to REDIRECT_URI } } Thanks -- pady [EMAIL PROTECTED] -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 8:59 AM To: 'Struts Users Mailing List' Subject: RE: How does ActionForm data pass through container called form based login page? Well I've just simplified by login form - plain html - no struts stuff going on. I've also simplified the filter so detects a fresh logon and starts a session accordingly - no longer any redirecting to LoginAction. However the critical behaviour is still the same - existingCustomerForm - the one I need to survive the login process still ends up getting trashed. I'm wondering if I have to make every form (that might span a session timeout) part of the login page so that it stays alive - this sounds like a ridiculous solution. Has anyone else got a solution? Thanks Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 26 March 2004 09:41 To: [EMAIL PROTECTED] Subject: How does ActionForm data pass through container called form based login page? Hi, Suppose I've got a web based form that posts data to an action, and I have that action protected by container form bas
RE: How does ActionForm data pass through container called form b ased login page?
We were going to implement this today or early next week :-)...looking at the code, I feel you don't need to extend ActionServlet at all. Instead the filter will create the request before forwarding to the ActionServlet. public class LoginFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest)request; ServletContext context = filterConfig.getServletContext(); If ( !loggedIn ) { // save all parameters to session // save current URI as REDIRECT_URI in session // redirect to login action } else if ( redirectUriIsSet ) { RedirectServletRequest newreq = new RedirectServletRequest(request); Chain.doFilter(newreq, response); } } Thanks -- pady [EMAIL PROTECTED] -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 10:35 AM To: 'Struts Users Mailing List' Subject: RE: How does ActionForm data pass through container called form based login page? Paddy, Looks like you've been here before!! :-) It'll take me a bit of time to digest this, but I'll have a look. Does this actually work for you? Thanks Martin -Original Message- From: Pady Srinivasan [mailto:[EMAIL PROTECTED] Sent: 26 March 2004 15:21 To: Struts Users Mailing List Subject: RE: How does ActionForm data pass through container called form based login page? This is the only solution I can think of: public class RedirectServletRequest extends HttpServletRequest { public RedirectServletRequest(HttpServletRequest req) { this.request = req; } public String getParameter(String name) { if ( request.getParameter(name) == null ) { String paramVal = (String)request.getSession(). getAttribute("TEMP_SAVED_PARAM"); request.getSession().removeAttribute("TEMP_SAVED_PARAM"); return paramVal; } return (String)request.getParameter(name); } // override all other methods using the delegate request } public class RedirectActionServlet extends ActionServlet { public void doPost(HttpServletRequest request, ...) { process(new RedirectActionServlet(request), response); } public void doGet(HttpServletRequest request, ...) { process(new RedirectActionServlet(request), response); } } public class LoginFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest)request; ServletContext context = filterConfig.getServletContext(); If ( !loggedIn ) { // save all parameters to session // save current URI as REDIRECT_URI in session // redirect to login action } } public class LoginAction extends Action { public void execute(...) { // do login // login success // redirect to REDIRECT_URI } } Thanks -- pady [EMAIL PROTECTED] -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 8:59 AM To: 'Struts Users Mailing List' Subject: RE: How does ActionForm data pass through container called form based login page? Well I've just simplified by login form - plain html - no struts stuff going on. I've also simplified the filter so detects a fresh logon and starts a session accordingly - no longer any redirecting to LoginAction. However the critical behaviour is still the same - existingCustomerForm - the one I need to survive the login process still ends up getting trashed. I'm wondering if I have to make every form (that might span a session timeout) part of the login page so that it stays alive - this sounds like a ridiculous solution. Has anyone else got a solution? Thanks Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 26 March 2004 09:41 To: [EMAIL PROTECTED] Subject: How does ActionForm data pass through container called form based login page? Hi, Suppose I've got a web based form that posts data to an action, and I have that action protected by container form based authorization - how does the ActionForm data get through. I have a situation like this, and my ActionForm is empty after I've been through the form-based login page. One could say - stick the input form in the constrained area also, so the login page doesn't come between the i
RE: How does ActionForm data pass through container called form based login page?
I think I need to do some simple test cases - with and without struts. Martin -Original Message- From: Joe Germuska [mailto:[EMAIL PROTECTED] Sent: 26 March 2004 15:20 To: Struts Users Mailing List Subject: RE: How does ActionForm data pass through container called form based login page? >I might be able to put some general code in the login form (as a jsp) >that puts all form data present in the previous page into the login form >so it could be passed on, but that will still leave the problem of the >method becomes GET instead of POST. > >I'm really hoping there's a more elegant solution - after this >technology's been around for a while! Yeah, but there are some basic limitations to the container managed security model, and I haven't heard any signs that they are being addressed. For example, container managed security doesn't allow you to present a login form to a user as a component of any page besides the single registered form, and it doesn't allow you to server resources from one path with two different states, "user authorized" or "not authorized"... Both of those are standard in modern webapps, but there's no clean way to handle them using container managed security. (I saw a JDJ article last year that had some work arounds...) So that said, it may not be surprising that the container managed security model also has no support for continuing the flow of request data to the originally requested URL after logging in. Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com "Imagine if every Thursday your shoes exploded if you tied them the usual way. This happens to us all the time with computers, and nobody thinks of complaining." -- Jef Raskin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How does ActionForm data pass through container called form based login page?
Paddy, Looks like you've been here before!! :-) It'll take me a bit of time to digest this, but I'll have a look. Does this actually work for you? Thanks Martin -Original Message- From: Pady Srinivasan [mailto:[EMAIL PROTECTED] Sent: 26 March 2004 15:21 To: Struts Users Mailing List Subject: RE: How does ActionForm data pass through container called form based login page? This is the only solution I can think of: public class RedirectServletRequest extends HttpServletRequest { public RedirectServletRequest(HttpServletRequest req) { this.request = req; } public String getParameter(String name) { if ( request.getParameter(name) == null ) { String paramVal = (String)request.getSession(). getAttribute("TEMP_SAVED_PARAM"); request.getSession().removeAttribute("TEMP_SAVED_PARAM"); return paramVal; } return (String)request.getParameter(name); } // override all other methods using the delegate request } public class RedirectActionServlet extends ActionServlet { public void doPost(HttpServletRequest request, ...) { process(new RedirectActionServlet(request), response); } public void doGet(HttpServletRequest request, ...) { process(new RedirectActionServlet(request), response); } } public class LoginFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest)request; ServletContext context = filterConfig.getServletContext(); If ( !loggedIn ) { // save all parameters to session // save current URI as REDIRECT_URI in session // redirect to login action } } public class LoginAction extends Action { public void execute(...) { // do login // login success // redirect to REDIRECT_URI } } Thanks -- pady [EMAIL PROTECTED] -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 8:59 AM To: 'Struts Users Mailing List' Subject: RE: How does ActionForm data pass through container called form based login page? Well I've just simplified by login form - plain html - no struts stuff going on. I've also simplified the filter so detects a fresh logon and starts a session accordingly - no longer any redirecting to LoginAction. However the critical behaviour is still the same - existingCustomerForm - the one I need to survive the login process still ends up getting trashed. I'm wondering if I have to make every form (that might span a session timeout) part of the login page so that it stays alive - this sounds like a ridiculous solution. Has anyone else got a solution? Thanks Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 26 March 2004 09:41 To: [EMAIL PROTECTED] Subject: How does ActionForm data pass through container called form based login page? Hi, Suppose I've got a web based form that posts data to an action, and I have that action protected by container form based authorization - how does the ActionForm data get through. I have a situation like this, and my ActionForm is empty after I've been through the form-based login page. One could say - stick the input form in the constrained area also, so the login page doesn't come between the input form and the action that processes it - but this is actually occurring when a session times out whilst sitting at the input form. Thanks Martin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This e-mail has been scanned by the Heroix e-mail security system __ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How does ActionForm data pass through container called form based login page?
I might be able to put some general code in the login form (as a jsp) that puts all form data present in the previous page into the login form so it could be passed on, but that will still leave the problem of the method becomes GET instead of POST. I'm really hoping there's a more elegant solution - after this technology's been around for a while! Yeah, but there are some basic limitations to the container managed security model, and I haven't heard any signs that they are being addressed. For example, container managed security doesn't allow you to present a login form to a user as a component of any page besides the single registered form, and it doesn't allow you to server resources from one path with two different states, "user authorized" or "not authorized"... Both of those are standard in modern webapps, but there's no clean way to handle them using container managed security. (I saw a JDJ article last year that had some work arounds...) So that said, it may not be surprising that the container managed security model also has no support for continuing the flow of request data to the originally requested URL after logging in. Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com "Imagine if every Thursday your shoes exploded if you tied them the usual way. This happens to us all the time with computers, and nobody thinks of complaining." -- Jef Raskin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How does ActionForm data pass through container called form b ased login page?
This is the only solution I can think of: public class RedirectServletRequest extends HttpServletRequest { public RedirectServletRequest(HttpServletRequest req) { this.request = req; } public String getParameter(String name) { if ( request.getParameter(name) == null ) { String paramVal = (String)request.getSession(). getAttribute("TEMP_SAVED_PARAM"); request.getSession().removeAttribute("TEMP_SAVED_PARAM"); return paramVal; } return (String)request.getParameter(name); } // override all other methods using the delegate request } public class RedirectActionServlet extends ActionServlet { public void doPost(HttpServletRequest request, ...) { process(new RedirectActionServlet(request), response); } public void doGet(HttpServletRequest request, ...) { process(new RedirectActionServlet(request), response); } } public class LoginFilter implements Filter { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest)request; ServletContext context = filterConfig.getServletContext(); If ( !loggedIn ) { // save all parameters to session // save current URI as REDIRECT_URI in session // redirect to login action } } public class LoginAction extends Action { public void execute(...) { // do login // login success // redirect to REDIRECT_URI } } Thanks -- pady [EMAIL PROTECTED] -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: Friday, March 26, 2004 8:59 AM To: 'Struts Users Mailing List' Subject: RE: How does ActionForm data pass through container called form based login page? Well I've just simplified by login form - plain html - no struts stuff going on. I've also simplified the filter so detects a fresh logon and starts a session accordingly - no longer any redirecting to LoginAction. However the critical behaviour is still the same - existingCustomerForm - the one I need to survive the login process still ends up getting trashed. I'm wondering if I have to make every form (that might span a session timeout) part of the login page so that it stays alive - this sounds like a ridiculous solution. Has anyone else got a solution? Thanks Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 26 March 2004 09:41 To: [EMAIL PROTECTED] Subject: How does ActionForm data pass through container called form based login page? Hi, Suppose I've got a web based form that posts data to an action, and I have that action protected by container form based authorization - how does the ActionForm data get through. I have a situation like this, and my ActionForm is empty after I've been through the form-based login page. One could say - stick the input form in the constrained area also, so the login page doesn't come between the input form and the action that processes it - but this is actually occurring when a session times out whilst sitting at the input form. Thanks Martin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This e-mail has been scanned by the Heroix e-mail security system __ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How does ActionForm data pass through container called form based login page?
Hi Joe, I might be able to put some general code in the login form (as a jsp) that puts all form data present in the previous page into the login form so it could be passed on, but that will still leave the problem of the method becomes GET instead of POST. I'm really hoping there's a more elegant solution - after this technology's been around for a while! Thanks Martin -Original Message- From: Joe Germuska [mailto:[EMAIL PROTECTED] Sent: 26 March 2004 14:21 To: Struts Users Mailing List Subject: RE: How does ActionForm data pass through container called form based login page? At 1:59 PM + 3/26/04, Martin Alley wrote: >Well I've just simplified by login form - plain html - no struts stuff >going on. > >I've also simplified the filter so detects a fresh logon and starts a >session accordingly - no longer any redirecting to LoginAction. > >However the critical behaviour is still the same - existingCustomerForm >- the one I need to survive the login process still ends up getting >trashed. > >I'm wondering if I have to make every form (that might span a session >timeout) part of the login page so that it stays alive - this sounds >like a ridiculous solution. Has anyone else got a solution? It may be a little ridiculous, but if the security implementation doesn't pass along form data when it forwards to the intended destination, then there's not much you can do about it. I'm assuming that the container is intercepting before Struts ever gets a chance to create an ActionForm based on the submission, so I don't think that making them session scoped is likely to help. This probably doesn't constitute a solution, but perhaps extending the session timeout would help a bit. Perhaps you could come up with some kind of javascript hack which calls a URL against the struts app periodically to keep the session alive? Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com "Imagine if every Thursday your shoes exploded if you tied them the usual way. This happens to us all the time with computers, and nobody thinks of complaining." -- Jef Raskin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How does ActionForm data pass through container called form based login page?
At 1:59 PM + 3/26/04, Martin Alley wrote: Well I've just simplified by login form - plain html - no struts stuff going on. I've also simplified the filter so detects a fresh logon and starts a session accordingly - no longer any redirecting to LoginAction. However the critical behaviour is still the same - existingCustomerForm - the one I need to survive the login process still ends up getting trashed. I'm wondering if I have to make every form (that might span a session timeout) part of the login page so that it stays alive - this sounds like a ridiculous solution. Has anyone else got a solution? It may be a little ridiculous, but if the security implementation doesn't pass along form data when it forwards to the intended destination, then there's not much you can do about it. I'm assuming that the container is intercepting before Struts ever gets a chance to create an ActionForm based on the submission, so I don't think that making them session scoped is likely to help. This probably doesn't constitute a solution, but perhaps extending the session timeout would help a bit. Perhaps you could come up with some kind of javascript hack which calls a URL against the struts app periodically to keep the session alive? Joe -- Joe Germuska [EMAIL PROTECTED] http://blog.germuska.com "Imagine if every Thursday your shoes exploded if you tied them the usual way. This happens to us all the time with computers, and nobody thinks of complaining." -- Jef Raskin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How does ActionForm data pass through container called form based login page?
Well I've just simplified by login form - plain html - no struts stuff going on. I've also simplified the filter so detects a fresh logon and starts a session accordingly - no longer any redirecting to LoginAction. However the critical behaviour is still the same - existingCustomerForm - the one I need to survive the login process still ends up getting trashed. I'm wondering if I have to make every form (that might span a session timeout) part of the login page so that it stays alive - this sounds like a ridiculous solution. Has anyone else got a solution? Thanks Martin -Original Message- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 26 March 2004 09:41 To: [EMAIL PROTECTED] Subject: How does ActionForm data pass through container called form based login page? Hi, Suppose I've got a web based form that posts data to an action, and I have that action protected by container form based authorization - how does the ActionForm data get through. I have a situation like this, and my ActionForm is empty after I've been through the form-based login page. One could say - stick the input form in the constrained area also, so the login page doesn't come between the input form and the action that processes it - but this is actually occurring when a session times out whilst sitting at the input form. Thanks Martin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How does ActionForm data pass through container called form based login page?
Hi, Suppose I've got a web based form that posts data to an action, and I have that action protected by container form based authorization - how does the ActionForm data get through. I have a situation like this, and my ActionForm is empty after I've been through the form-based login page. One could say - stick the input form in the constrained area also, so the login page doesn't come between the input form and the action that processes it - but this is actually occurring when a session times out whilst sitting at the input form. Thanks Martin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: user login authentication and session timeout
Charles, you can use container managed security or the SecurityFilter to authenticate users when accessing protected resources. You can set the session time out by adding something like the following to your web.xml file: 60 You can find more information on SecurityFilter here: http://sourceforge.net/projects/securityfilter/ Your servlet container documentation should let you know how to implement container managed security. robert > -Original Message- > From: Charles Jordan [mailto:[EMAIL PROTECTED] > Sent: Monday, March 22, 2004 1:35 PM > To: [EMAIL PROTECTED] > Subject: user login authentication and session timeout > > > I'm looking for examples or to be pointed in the right direction on how > to achieve the following. > I want my users to be able to access a mojority of my pages without having > to login, but if they select a specific page a small login pop-up window > would display which would require a valid user name and password. I also > want the session to time-out after a period of time. > Any ides? > > Charles (Allen) Jordan <[EMAIL PROTECTED]> > System Administrator(407)771-8919 > Convergys > 285 International Parkway, > Lake Mary, FL 32746-5007 > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: user login authentication and session timeout
Hi, You can consider the following ways: 1) You can associate an action class for the page that requires a username and password. In that action class you can prompt for username and password. Have a separate action class for the urls that doesn't require login. 2). Have a query string appended to every URL (http://mydomain/mywebapp/myaction.do?login=NA) for the action that does not require login. And http://mydomain/mywebapp/myaction.do?login=REQUIRED). Map the urls that requires username and password to an action class and you can do the validation in this action class. You can specify the session time out in web.xml file for your web app.Refer the code snippet below. 30 HTH Ram Kumar. -Original Message- From: Charles Jordan [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 12:05 AM To: [EMAIL PROTECTED] Subject: user login authentication and session timeout I'm looking for examples or to be pointed in the right direction on how to achieve the following. I want my users to be able to access a mojority of my pages without having to login, but if they select a specific page a small login pop-up window would display which would require a valid user name and password. I also want the session to time-out after a period of time. Any ides? Charles (Allen) Jordan <[EMAIL PROTECTED]> System Administrator(407)771-8919 Convergys 285 International Parkway, Lake Mary, FL 32746-5007 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
user login authentication and session timeout
I'm looking for examples or to be pointed in the right direction on how to achieve the following. I want my users to be able to access a mojority of my pages without having to login, but if they select a specific page a small login pop-up window would display which would require a valid user name and password. I also want the session to time-out after a period of time. Any ides? Charles (Allen) Jordan <[EMAIL PROTECTED]> System Administrator(407)771-8919 Convergys 285 International Parkway, Lake Mary, FL 32746-5007 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[OT] Tomcat 5 + j_security_check + login-error-page
Hello everybody, I am porting my application from Tomcat 4.1.29 to Tomcat 5.0.18. I have a Struts ForwardAction mapped to "/Login.do" that produces the page with login form. Form based authentication is set with the following fragment of the deployment descriptor: FORM /Login.do /Login.do?error=true When the servlet is called with "?error=true" query string it displays additional warning besides the login form. It was working perfectly in Tomcat 4.1.29 but it works in Tomcat 5.0.18 only in half: When user tries to access protected page he is presented with login page. If he enters valid login/password then he receives access to the resourse. But if the user enters invalid login/password then instead of form-error-page Tomcat displays the right page, but within the uri it says "j_security_check" instead of /Login.do?error=true. I have tried to set up AccessLogValve and RequestDumpValve and to set debug attribute on every element in servlet.xml and my context.xml (where applicable) in order to try to understand what is going on inside Tomcat 5, but no luck so far - request damp just shows that 1) there was request to protected resourse 2) Tomcat returned form-login-page 3) user sent it back with invalid login/password 4) Tomcat returned to j_security_check. I had expected that there should be output from Realm between 3) and 4) but there is not. So, at the moment the conclusion is that the code that worked perfectly in Tomcat 4.1.29 doesn 't work in Tomcat 5.0.18 and i don 't know why but i would be delighted if somebody will help me to find this out :) Thanks in advance! Cheers, Ronald - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: 'response has already been committed' on protected page when I expected the login form?
I'm sorry to repost this question, but I wanted to add some more details: I experimented by adding a test page to my protected directory that does not use tiles. When I accessed that test page, got a 404: Page cannot be found. So then I changed the following in my web.xml file from: FORM .login .loginFailed to: FORM /jsp/login/login.jsp /jsp/login/login_failed.jsp Now when I access the test file (the one without tiles) I do get the login form (just the form, not in my tiles). Either way, when I access another file in the same directory that does use tiles, I still get the 'response has already been committed' in the body tile. If I remove the "protection" from the directory, the page works just fine. Thanks in advance for any help, Janice - Original Message - From: "Janice" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 23, 2004 2:23 PM Subject: 'response has already been committed' on protected page when I expected the login form? > Hi Gang, > > I've started putting authentication into my struts app. The problem I'm > having is that as soon as I go to an area that is protected, I get the > "response has already been committed" error in my body tile. Could somebody > please tell me what I'm doing wrong? > > This is what I added to web.xml: > " > > > Protected_Pages > These pages are only accessible by authorized > admins > /jsp/admin/* > > > These are the roles that have access. > appAdmin > > > This is how the user data must be transmitted between the > client and the server. > NONE > > > > > FORM > > .login > .loginFailed > > > > > >appAdmin > > > " > > My pages are defined in tiles-def.xml as: > " > > > > > > > > " > > I should note that even when I called the .jsps directly it didn't work > either. > > I feel a little lost here... the how-tos make it sound so easy, but I can't > even get the silly form to show up! > > Thanks in advance, > Janice > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
'response has already been committed' on protected page when I expected the login form?
Hi Gang, I've started putting authentication into my struts app. The problem I'm having is that as soon as I go to an area that is protected, I get the "response has already been committed" error in my body tile. Could somebody please tell me what I'm doing wrong? This is what I added to web.xml: " Protected_Pages These pages are only accessible by authorized admins /jsp/admin/* These are the roles that have access. appAdmin This is how the user data must be transmitted between the client and the server. NONE FORM .login .loginFailed appAdmin " My pages are defined in tiles-def.xml as: " " I should note that even when I called the .jsps directly it didn't work either. I feel a little lost here... the how-tos make it sound so easy, but I can't even get the silly form to show up! Thanks in advance, Janice - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Login Validation using Plug in
Hi, There are many examples available on the web. Try this http://struts.sourceforge.net/community/tutorials.html If you mean Struts Validator plugin, I think login is not the best example because Validator Plugins is about format of input .Validate a login will generally access database to know if login/password are right. Hope this helps. Denis. Sudhakar G wrote: Hi, Can anyone help me how do I validate the login user session using struts Plugin?.Explain me with examples as I am new to struts.. Thanks in Advance.. cheers Sudhakar DISCLAIMER: This message (including attachment if any) is confidential and may be privileged. Before opening attachments please check them for viruses and defects. MindTree Consulting Private Limited (MindTree) will not be responsible for any viruses or defects or any forwarded attachments emanating either from within MindTree or outside. If you have received this message by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change and MindTree shall not be liable for any improper, untimely or incomplete transmission. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Login Validation using Plug in
Hi, Can anyone help me how do I validate the login user session using struts Plugin?.Explain me with examples as I am new to struts.. Thanks in Advance.. cheers Sudhakar DISCLAIMER: This message (including attachment if any) is confidential and may be privileged. Before opening attachments please check them for viruses and defects. MindTree Consulting Private Limited (MindTree) will not be responsible for any viruses or defects or any forwarded attachments emanating either from within MindTree or outside. If you have received this message by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change and MindTree shall not be liable for any improper, untimely or incomplete transmission. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Login Security
hi! you could have an exponential backoff period, where rather than blocking a person (there's a genuine chance you forgot the password and are trying five combinations or so) you disable the account for a period of time which is proportional to the number of tries the user has made. An exponential relationship between the number of tries and the time disabled would be best. so if someone is trying a dictionary attack then with the number of tries increasing the account will be suspended for longer periods. In terms of implementing it, yes i suppose you will need an extra field to record the time when the account will next be active. security is ofcourse relative. you may go for salts when storing passwords, but that depends on you application and its threat model. but i agree, to prevent someone from maliciously blocking another person's account, you should have a mechanism of maybe storing ip addresses, (though a malicious user could spoof these). regards Ajay From: "Janusz Dziadon" <[EMAIL PROTECTED]> Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Subject: Re: Login Security Date: Tue, 16 Dec 2003 23:43:41 +0100 1. I was thinking on corporate solution, where any station has its own ip (maybe from dhcp) 2. I suggested only to store IP, not to compare on next-login or permanent block this IP. It is for future investigation only. 3. This organization may have been "yet blocked" because when has common acount its was disabled any way. Maybe this all solution is not needed or is not good think over. That was only my little remark. JD - Original Message - From: "Hubert Rabago" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, December 16, 2003 11:24 PM Subject: Re: Login Security > Several organizations expose the same IP address for most or all users. You'd be > blocking entire organizations because of one bad login. > > --- Janusz_DziadoƱ <[EMAIL PROTECTED]> wrote: > > I think, that you should register blocked IP anyway in database. It helps to > > explain situations like below. > > > > Try to imagine situation like this: > > one user (A) really doesn't like another user (B) or system administrator > > (C). Than (A) tries to log in into his (B or C) account with bad password. > > His (B or C) account is disabled. Than A person can accuse person B or C > > that they are not work. > > > > Maybe it seems silly, but I have such not good experience. > > Machine IP from wich was maked last try to log-in may helped to explain all > > circumstances. > > > > JD > > > > - Original Message - > > From: "Hookom, Jacob" <[EMAIL PROTECTED]> > > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > Sent: Tuesday, December 16, 2003 10:46 PM > > Subject: RE: Login Security > > > > > > > Do a HashMap in the action: > > > > > > Key is username > > > Value is Integer or Date > > > > > > If ((value = map.get(key)) != null) > > > { > > > if (value instanceof Date) > > > { > > > // compare timeout dates > > > } > > > else if (value instanceof Integer) > > > { > > > if (value == 3) > > > { > > > map.put(key, new Date(deadline)); > > > } > > > else > > > { > > > map.put(key, new Integer(value + 1)); > > > } > > > } > > > } > > > > > > > > > > > > -Original Message- > > > From: Ciaran Hanley [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, December 16, 2003 3:43 PM > > > To: 'Struts Users Mailing List' > > > Subject: RE: Login Security > > > > > > > > > I am storing the username and password in a table in a mySql database. > > > > > > I think I will just add a field "last_failure" to the user table... and > > > after 3 unsuccessful attempts I will record the time in the > > > "last_failure" field and work out if the timeout has elapsed by querying > > > that field and comparing it to the current time. > > > > > > That way, I wont be using cookies, and will avoid blocking IP address. > > > Does that sound ok? > > > > > > Ciaran > > > > > > -Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > > Sent: 16 December 2003 20:46 > > > To: [EMAIL PROTECTED] > > > Cc: [EMAIL PROTECTED] > > > Subject
Re: Login Security
1. I was thinking on corporate solution, where any station has its own ip (maybe from dhcp) 2. I suggested only to store IP, not to compare on next-login or permanent block this IP. It is for future investigation only. 3. This organization may have been "yet blocked" because when has common acount its was disabled any way. Maybe this all solution is not needed or is not good think over. That was only my little remark. JD - Original Message - From: "Hubert Rabago" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, December 16, 2003 11:24 PM Subject: Re: Login Security > Several organizations expose the same IP address for most or all users. You'd be > blocking entire organizations because of one bad login. > > --- Janusz_DziadoƱ <[EMAIL PROTECTED]> wrote: > > I think, that you should register blocked IP anyway in database. It helps to > > explain situations like below. > > > > Try to imagine situation like this: > > one user (A) really doesn't like another user (B) or system administrator > > (C). Than (A) tries to log in into his (B or C) account with bad password. > > His (B or C) account is disabled. Than A person can accuse person B or C > > that they are not work. > > > > Maybe it seems silly, but I have such not good experience. > > Machine IP from wich was maked last try to log-in may helped to explain all > > circumstances. > > > > JD > > > > - Original Message - > > From: "Hookom, Jacob" <[EMAIL PROTECTED]> > > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > Sent: Tuesday, December 16, 2003 10:46 PM > > Subject: RE: Login Security > > > > > > > Do a HashMap in the action: > > > > > > Key is username > > > Value is Integer or Date > > > > > > If ((value = map.get(key)) != null) > > > { > > > if (value instanceof Date) > > > { > > > // compare timeout dates > > > } > > > else if (value instanceof Integer) > > > { > > > if (value == 3) > > > { > > > map.put(key, new Date(deadline)); > > > } > > > else > > > { > > > map.put(key, new Integer(value + 1)); > > > } > > > } > > > } > > > > > > > > > > > > -Original Message- > > > From: Ciaran Hanley [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, December 16, 2003 3:43 PM > > > To: 'Struts Users Mailing List' > > > Subject: RE: Login Security > > > > > > > > > I am storing the username and password in a table in a mySql database. > > > > > > I think I will just add a field "last_failure" to the user table... and > > > after 3 unsuccessful attempts I will record the time in the > > > "last_failure" field and work out if the timeout has elapsed by querying > > > that field and comparing it to the current time. > > > > > > That way, I wont be using cookies, and will avoid blocking IP address. > > > Does that sound ok? > > > > > > Ciaran > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > > Sent: 16 December 2003 20:46 > > > To: [EMAIL PROTECTED] > > > Cc: [EMAIL PROTECTED] > > > Subject: RE: Login Security > > > > > > Avoid the cookie solution, it's too easy for the user to bypass your > > > security measures and as mentioned below, this solution won't work if > > > the browser has disabled cookies. > > > > > > Don't block IP addresses because they can be easily spoofed and > > > redirected. Dynamic IPs pose a problem as you could be blocking out a > > > legitimate user. > > > > > > How are you storing your list of usernames/passwords? Would it be > > > possible to add an extra bit of data next to each username/password > > > indicating when the login is valid? > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, December 16, 2003 9:09 AM > > > To: [EMAIL PROTECTED] > > > Cc: [EMAIL PROTECTED] > > > Subject: RE: Login Security > > > > > > > > > You could put a cookie on the user's machine that expires after a > > > certain > > > period of time. Of course this only works when cookies are turned one > > > and > &
RE: Login Security
You could apply what I described by defining the key as username+"@"+ip Good idea! -Original Message- From: Janusz Dziadon [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 4:20 PM To: Struts Users Mailing List Subject: Re: Login Security I think, that you should register blocked IP anyway in database. It helps to explain situations like below. Try to imagine situation like this: one user (A) really doesn't like another user (B) or system administrator (C). Than (A) tries to log in into his (B or C) account with bad password. His (B or C) account is disabled. Than A person can accuse person B or C that they are not work. Maybe it seems silly, but I have such not good experience. Machine IP from wich was maked last try to log-in may helped to explain all circumstances. JD - Original Message - From: "Hookom, Jacob" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, December 16, 2003 10:46 PM Subject: RE: Login Security > Do a HashMap in the action: > > Key is username > Value is Integer or Date > > If ((value = map.get(key)) != null) > { > if (value instanceof Date) > { > // compare timeout dates > } > else if (value instanceof Integer) > { > if (value == 3) > { > map.put(key, new Date(deadline)); > } > else > { > map.put(key, new Integer(value + 1)); > } > } > } > > > > -Original Message- > From: Ciaran Hanley [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 16, 2003 3:43 PM > To: 'Struts Users Mailing List' > Subject: RE: Login Security > > > I am storing the username and password in a table in a mySql database. > > I think I will just add a field "last_failure" to the user table... and > after 3 unsuccessful attempts I will record the time in the > "last_failure" field and work out if the timeout has elapsed by querying > that field and comparing it to the current time. > > That way, I wont be using cookies, and will avoid blocking IP address. > Does that sound ok? > > Ciaran > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 16 December 2003 20:46 > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: Login Security > > Avoid the cookie solution, it's too easy for the user to bypass your > security measures and as mentioned below, this solution won't work if > the browser has disabled cookies. > > Don't block IP addresses because they can be easily spoofed and > redirected. Dynamic IPs pose a problem as you could be blocking out a > legitimate user. > > How are you storing your list of usernames/passwords? Would it be > possible to add an extra bit of data next to each username/password > indicating when the login is valid? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 16, 2003 9:09 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: Login Security > > > You could put a cookie on the user's machine that expires after a > certain > period of time. Of course this only works when cookies are turned one > and > an experienced user could always manually remove their cookie. > > Another solution maybe is to get the user's IP address from the request > Header and add it to a list of invalid IP address with their times of > entry. > Then upon a new request, you will have to check the list and determine > how > long ago the IP address was added. > > I'm just brainstorming here so anybody can criticize these suggestions > freely. > -Jonathan > > -Original Message- > From: Ciaran Hanley [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 16, 2003 10:55 AM > To: [EMAIL PROTECTED] > Subject: Login Security > > > I'm writing a web application using JSP and Struts. I want to add a > security feature to my login page where if a user has three unsuccessful > logins they will be unable to log in for a certain period of time > afterwards. I can count the number of unsuccessful logins ok but how I'm > not sure how to give a timeout after 3 failures. Any ideas how I could > implement this? > > Thanks > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- > Juz czas! Wyslij kartke na swieta! >>> http://link.interia.pl/f17a4 > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Login Security
Several organizations expose the same IP address for most or all users. You'd be blocking entire organizations because of one bad login. --- Janusz_DziadoƱ <[EMAIL PROTECTED]> wrote: > I think, that you should register blocked IP anyway in database. It helps to > explain situations like below. > > Try to imagine situation like this: > one user (A) really doesn't like another user (B) or system administrator > (C). Than (A) tries to log in into his (B or C) account with bad password. > His (B or C) account is disabled. Than A person can accuse person B or C > that they are not work. > > Maybe it seems silly, but I have such not good experience. > Machine IP from wich was maked last try to log-in may helped to explain all > circumstances. > > JD > > - Original Message - > From: "Hookom, Jacob" <[EMAIL PROTECTED]> > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > Sent: Tuesday, December 16, 2003 10:46 PM > Subject: RE: Login Security > > > > Do a HashMap in the action: > > > > Key is username > > Value is Integer or Date > > > > If ((value = map.get(key)) != null) > > { > > if (value instanceof Date) > > { > > // compare timeout dates > > } > > else if (value instanceof Integer) > > { > > if (value == 3) > > { > > map.put(key, new Date(deadline)); > > } > > else > > { > > map.put(key, new Integer(value + 1)); > > } > > } > > } > > > > > > > > -Original Message- > > From: Ciaran Hanley [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, December 16, 2003 3:43 PM > > To: 'Struts Users Mailing List' > > Subject: RE: Login Security > > > > > > I am storing the username and password in a table in a mySql database. > > > > I think I will just add a field "last_failure" to the user table... and > > after 3 unsuccessful attempts I will record the time in the > > "last_failure" field and work out if the timeout has elapsed by querying > > that field and comparing it to the current time. > > > > That way, I wont be using cookies, and will avoid blocking IP address. > > Does that sound ok? > > > > Ciaran > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Sent: 16 December 2003 20:46 > > To: [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED] > > Subject: RE: Login Security > > > > Avoid the cookie solution, it's too easy for the user to bypass your > > security measures and as mentioned below, this solution won't work if > > the browser has disabled cookies. > > > > Don't block IP addresses because they can be easily spoofed and > > redirected. Dynamic IPs pose a problem as you could be blocking out a > > legitimate user. > > > > How are you storing your list of usernames/passwords? Would it be > > possible to add an extra bit of data next to each username/password > > indicating when the login is valid? > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, December 16, 2003 9:09 AM > > To: [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED] > > Subject: RE: Login Security > > > > > > You could put a cookie on the user's machine that expires after a > > certain > > period of time. Of course this only works when cookies are turned one > > and > > an experienced user could always manually remove their cookie. > > > > Another solution maybe is to get the user's IP address from the request > > Header and add it to a list of invalid IP address with their times of > > entry. > > Then upon a new request, you will have to check the list and determine > > how > > long ago the IP address was added. > > > > I'm just brainstorming here so anybody can criticize these suggestions > > freely. > > -Jonathan > > > > -Original Message- > > From: Ciaran Hanley [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, December 16, 2003 10:55 AM > > To: [EMAIL PROTECTED] > > Subject: Login Security > > > > > > I'm writing a web application using JSP and Struts. I want to add a > > security feature to my login page where if a user has three unsuccessful > > logins they will be unable to log in for a certain period of time > > afterwards. I can count the number of unsuccessful logins ok but how I'm > > not sure how to giv
Re: Login Security
I think, that you should register blocked IP anyway in database. It helps to explain situations like below. Try to imagine situation like this: one user (A) really doesn't like another user (B) or system administrator (C). Than (A) tries to log in into his (B or C) account with bad password. His (B or C) account is disabled. Than A person can accuse person B or C that they are not work. Maybe it seems silly, but I have such not good experience. Machine IP from wich was maked last try to log-in may helped to explain all circumstances. JD - Original Message - From: "Hookom, Jacob" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, December 16, 2003 10:46 PM Subject: RE: Login Security > Do a HashMap in the action: > > Key is username > Value is Integer or Date > > If ((value = map.get(key)) != null) > { > if (value instanceof Date) > { > // compare timeout dates > } > else if (value instanceof Integer) > { > if (value == 3) > { > map.put(key, new Date(deadline)); > } > else > { > map.put(key, new Integer(value + 1)); > } > } > } > > > > -Original Message- > From: Ciaran Hanley [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 16, 2003 3:43 PM > To: 'Struts Users Mailing List' > Subject: RE: Login Security > > > I am storing the username and password in a table in a mySql database. > > I think I will just add a field "last_failure" to the user table... and > after 3 unsuccessful attempts I will record the time in the > "last_failure" field and work out if the timeout has elapsed by querying > that field and comparing it to the current time. > > That way, I wont be using cookies, and will avoid blocking IP address. > Does that sound ok? > > Ciaran > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 16 December 2003 20:46 > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: Login Security > > Avoid the cookie solution, it's too easy for the user to bypass your > security measures and as mentioned below, this solution won't work if > the browser has disabled cookies. > > Don't block IP addresses because they can be easily spoofed and > redirected. Dynamic IPs pose a problem as you could be blocking out a > legitimate user. > > How are you storing your list of usernames/passwords? Would it be > possible to add an extra bit of data next to each username/password > indicating when the login is valid? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 16, 2003 9:09 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: Login Security > > > You could put a cookie on the user's machine that expires after a > certain > period of time. Of course this only works when cookies are turned one > and > an experienced user could always manually remove their cookie. > > Another solution maybe is to get the user's IP address from the request > Header and add it to a list of invalid IP address with their times of > entry. > Then upon a new request, you will have to check the list and determine > how > long ago the IP address was added. > > I'm just brainstorming here so anybody can criticize these suggestions > freely. > -Jonathan > > -Original Message- > From: Ciaran Hanley [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 16, 2003 10:55 AM > To: [EMAIL PROTECTED] > Subject: Login Security > > > I'm writing a web application using JSP and Struts. I want to add a > security feature to my login page where if a user has three unsuccessful > logins they will be unable to log in for a certain period of time > afterwards. I can count the number of unsuccessful logins ok but how I'm > not sure how to give a timeout after 3 failures. Any ideas how I could > implement this? > > Thanks > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- > Juz czas! Wyslij kartke na swieta! >>> http://link.interia.pl/f17a4 > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Login Security
On 16/12/2003 21:43, "Ciaran Hanley" <[EMAIL PROTECTED]> wrote: > > I am storing the username and password in a table in a mySql database. > > I think I will just add a field "last_failure" to the user table... and > after 3 unsuccessful attempts I will record the time in the > "last_failure" field and work out if the timeout has elapsed by querying > that field and comparing it to the current time. That's the way ;D Pedro Salgado > > That way, I wont be using cookies, and will avoid blocking IP address. > Does that sound ok? > > Ciaran > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 16 December 2003 20:46 > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: Login Security > > Avoid the cookie solution, it's too easy for the user to bypass your > security measures and as mentioned below, this solution won't work if > the browser has disabled cookies. > > Don't block IP addresses because they can be easily spoofed and > redirected. Dynamic IPs pose a problem as you could be blocking out a > legitimate user. > > How are you storing your list of usernames/passwords? Would it be > possible to add an extra bit of data next to each username/password > indicating when the login is valid? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 16, 2003 9:09 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: Login Security > > > You could put a cookie on the user's machine that expires after a > certain > period of time. Of course this only works when cookies are turned one > and > an experienced user could always manually remove their cookie. > > Another solution maybe is to get the user's IP address from the request > Header and add it to a list of invalid IP address with their times of > entry. > Then upon a new request, you will have to check the list and determine > how > long ago the IP address was added. > > I'm just brainstorming here so anybody can criticize these suggestions > freely. > -Jonathan > > -Original Message- > From: Ciaran Hanley [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 16, 2003 10:55 AM > To: [EMAIL PROTECTED] > Subject: Login Security > > > I'm writing a web application using JSP and Struts. I want to add a > security feature to my login page where if a user has three unsuccessful > logins they will be unable to log in for a certain period of time > afterwards. I can count the number of unsuccessful logins ok but how I'm > not sure how to give a timeout after 3 failures. Any ideas how I could > implement this? > > Thanks > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Security
Btw, remember to flush the map for that username when they are able to login successfully. -Original Message- From: Hookom, Jacob [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 3:46 PM To: Struts Users Mailing List Subject: RE: Login Security Do a HashMap in the action: Key is username Value is Integer or Date If ((value = map.get(key)) != null) { if (value instanceof Date) { // compare timeout dates } else if (value instanceof Integer) { if (value == 3) { map.put(key, new Date(deadline)); } else { map.put(key, new Integer(value + 1)); } } } -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 3:43 PM To: 'Struts Users Mailing List' Subject: RE: Login Security I am storing the username and password in a table in a mySql database. I think I will just add a field "last_failure" to the user table... and after 3 unsuccessful attempts I will record the time in the "last_failure" field and work out if the timeout has elapsed by querying that field and comparing it to the current time. That way, I wont be using cookies, and will avoid blocking IP address. Does that sound ok? Ciaran -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 20:46 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security Avoid the cookie solution, it's too easy for the user to bypass your security measures and as mentioned below, this solution won't work if the browser has disabled cookies. Don't block IP addresses because they can be easily spoofed and redirected. Dynamic IPs pose a problem as you could be blocking out a legitimate user. How are you storing your list of usernames/passwords? Would it be possible to add an extra bit of data next to each username/password indicating when the login is valid? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 9:09 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security You could put a cookie on the user's machine that expires after a certain period of time. Of course this only works when cookies are turned one and an experienced user could always manually remove their cookie. Another solution maybe is to get the user's IP address from the request Header and add it to a list of invalid IP address with their times of entry. Then upon a new request, you will have to check the list and determine how long ago the IP address was added. I'm just brainstorming here so anybody can criticize these suggestions freely. -Jonathan -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Login Security I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Security
Do a HashMap in the action: Key is username Value is Integer or Date If ((value = map.get(key)) != null) { if (value instanceof Date) { // compare timeout dates } else if (value instanceof Integer) { if (value == 3) { map.put(key, new Date(deadline)); } else { map.put(key, new Integer(value + 1)); } } } -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 3:43 PM To: 'Struts Users Mailing List' Subject: RE: Login Security I am storing the username and password in a table in a mySql database. I think I will just add a field "last_failure" to the user table... and after 3 unsuccessful attempts I will record the time in the "last_failure" field and work out if the timeout has elapsed by querying that field and comparing it to the current time. That way, I wont be using cookies, and will avoid blocking IP address. Does that sound ok? Ciaran -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 20:46 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security Avoid the cookie solution, it's too easy for the user to bypass your security measures and as mentioned below, this solution won't work if the browser has disabled cookies. Don't block IP addresses because they can be easily spoofed and redirected. Dynamic IPs pose a problem as you could be blocking out a legitimate user. How are you storing your list of usernames/passwords? Would it be possible to add an extra bit of data next to each username/password indicating when the login is valid? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 9:09 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security You could put a cookie on the user's machine that expires after a certain period of time. Of course this only works when cookies are turned one and an experienced user could always manually remove their cookie. Another solution maybe is to get the user's IP address from the request Header and add it to a list of invalid IP address with their times of entry. Then upon a new request, you will have to check the list and determine how long ago the IP address was added. I'm just brainstorming here so anybody can criticize these suggestions freely. -Jonathan -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Login Security I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Security
I am storing the username and password in a table in a mySql database. I think I will just add a field "last_failure" to the user table... and after 3 unsuccessful attempts I will record the time in the "last_failure" field and work out if the timeout has elapsed by querying that field and comparing it to the current time. That way, I wont be using cookies, and will avoid blocking IP address. Does that sound ok? Ciaran -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 20:46 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security Avoid the cookie solution, it's too easy for the user to bypass your security measures and as mentioned below, this solution won't work if the browser has disabled cookies. Don't block IP addresses because they can be easily spoofed and redirected. Dynamic IPs pose a problem as you could be blocking out a legitimate user. How are you storing your list of usernames/passwords? Would it be possible to add an extra bit of data next to each username/password indicating when the login is valid? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 9:09 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Login Security You could put a cookie on the user's machine that expires after a certain period of time. Of course this only works when cookies are turned one and an experienced user could always manually remove their cookie. Another solution maybe is to get the user's IP address from the request Header and add it to a list of invalid IP address with their times of entry. Then upon a new request, you will have to check the list and determine how long ago the IP address was added. I'm just brainstorming here so anybody can criticize these suggestions freely. -Jonathan -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Login Security I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Security
BDY.RTF Description: RTF file - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Security
You could put a cookie on the user's machine that expires after a certain period of time. Of course this only works when cookies are turned one and an experienced user could always manually remove their cookie. Another solution maybe is to get the user's IP address from the request Header and add it to a list of invalid IP address with their times of entry. Then upon a new request, you will have to check the list and determine how long ago the IP address was added. I'm just brainstorming here so anybody can criticize these suggestions freely. -Jonathan -Original Message- From: Ciaran Hanley [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 10:55 AM To: [EMAIL PROTECTED] Subject: Login Security I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks
Re: Login Security
One idea The third time the login fails, register the time for that user. When a login gets executed, if the last registered time for the given user is less than the time interval you want -> the login always fails. The user must have something like: User : id || login | password | last_failure | number_failures Hope it helps, Pedro Salgado On 16/12/2003 15:55, "Ciaran Hanley" <[EMAIL PROTECTED]> wrote: > I'm writing a web application using JSP and Struts. I want to add a > security feature to my login page where if a user has three unsuccessful > logins they will be unable to log in for a certain period of time > afterwards. I can count the number of unsuccessful logins ok but how I'm > not sure how to give a timeout after 3 failures. Any ideas how I could > implement this? > > Thanks > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Login Security
I'm writing a web application using JSP and Struts. I want to add a security feature to my login page where if a user has three unsuccessful logins they will be unable to log in for a certain period of time afterwards. I can count the number of unsuccessful logins ok but how I'm not sure how to give a timeout after 3 failures. Any ideas how I could implement this? Thanks
form data lost through login
Hi, I'm having troubles submitting data through an form/action which is protected by the servlet container. Let me explain better the problem: I'm using struts (ver 1.1). I have a JSP containing a form (whith method=POST) to collect some data from a user. Something like: ... ... The submission is protected by container security, i.e. the url of the action (e.g. /submit.do ) is declared in a block in the web.xml file: private action /submit.do admin The container (Tomcat 4.1.24) is configured to ask credentials by means of a FORM login, i.e.: FORM private /login.jsp /loginerror.jsp As expected, when I fill the form and press the submission button the login form appears. I fill it with user name and password, then I press the submisison button of the login form. What appens then is that the Action that I'm using to handle the submitted data doesn't receive the data. The Action Form contains null values. The action is declared with 'session' as scope in my struts-config file. i.e.: Do you know if this is a fault of mine, Tomcat, Struts or, maybe, an expected behavior ? best regards, roberto. -- Roberto Tiella Automated Reasoning Systems - ITC-irst Via Sommarive 18 - Povo 38050 TRENTO - ITALY [EMAIL PROTECTED] tel: +390461314452 http://sra.itc.it - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] - Login Application
Jonathan- The peristence or even existence of any data entity can be ascertained from the DB schema what constraints have you placed on the creation of the Price Index? what relationship does the Price Index have to the username/password ? If the Price Index is constrained (or dependent on ) the existence of a username/password then yes tie the PriceIndex into the Login If the Price Index is not dependent on username/password then the PriceIndex information cookies et al) should exist indepedently.. ~my 2 cents~ -Martin - Original Message - From: "Jonathan Hawkins" <[EMAIL PROTECTED]> To: "Struts List" <[EMAIL PROTECTED]> Sent: Tuesday, December 09, 2003 2:18 PM Subject: [OT] - Login Application > Howdy All, > I am writing a custom login application. > Our organization has several web applications (Struts of course!) > one of which is a shopping cart. > > > The current login application adds two cookies to the users browser - > one that stores a number representing a price index and the other an id. > (Meaning different users pay different amounts for products depending > on their level of membership). > > The issue: > I am adding a 30 day persistence feature to the login if the user > selects a check box at login time. > It is possible that a users price index will change within a 30 day > period due to advancement in their membership. > > Should the shopping cart (or any other app that needs to calculate > price) be responsible for getting the price index vs. the login getting > it? > > Has anyone had a similar situation and if so, how did you solve it? > > > Thanks in advance, > Jonathan Hawkins > Web Programmer > American College of Chest Physicians > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[OT] - Login Application
Howdy All, I am writing a custom login application. Our organization has several web applications (Struts of course!) one of which is a shopping cart. The current login application adds two cookies to the users browser - one that stores a number representing a price index and the other an id. (Meaning different users pay different amounts for products depending on their level of membership). The issue: I am adding a 30 day persistence feature to the login if the user selects a check box at login time. It is possible that a users price index will change within a 30 day period due to advancement in their membership. Should the shopping cart (or any other app that needs to calculate price) be responsible for getting the price index vs. the login getting it? Has anyone had a similar situation and if so, how did you solve it? Thanks in advance, Jonathan Hawkins Web Programmer American College of Chest Physicians - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
processRoles - must lead to login-form...
I'm developing an application where I want to use a fine-grained authentication control using some request parameters plus the action to figure out whether the user may or may not enter the page... I did implement this by making a hack where I checked whether the user was logged in and whether it was neccesary to be logged in to have permissions to enter the requested action. If the user was not logged in and that was a requirement for the action I did send the user through a login page and back to the same requested action. This meant that the parameters where send again... It was a very ugly hack and I am considering to start using the requestProcessor processRoles instead. Now I would like that the user would be sent to a login-form (like the default BASIC login form) before the requested action was requested... So: -How can I send the user through such a login-form if the user hasn't logged in and that's required? -What happens when the processRoles returns false... I see an empty screen. Can that be changed? Thanks Morten Andersen Master of applied mathematics and computer science Amanuensis Interest areas: -e-learning -software engineering -applied math The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 6550-3654 +45 6171-1103 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Preserving original request until after login redirect
That one is pretty simple: - Use a GET request so the programId is part of the URL. - Store the whole URL, including the query string. - Redirect back to the URL (including query string) after the login. The more difficult case is POSTed parameters that don't show up on the query string. All redirects are GETs -- you can't send a reirect that will result in a POST. The ONLY ways you can transparently handle keeping POSTed parameters across a login event is with container-managed security or with a filter. There is no request.setParameter() method, so there is no other way to shove the originally POSTed parameters into a later request. Harder still is multi-part file uploads! I haven't tested my SecurityFilter project with file uploads, but I suspect that it would fail. I haven't tested container-managed security under the file upload condition either -- for all I know, they might fail, too. Keeping request parameters across a login event is one of the subtle things that container-managed security (or my filter-based clone, SecurityFilter) does for you. Trying to support this well in a proprietary turns out to harder than it at first seems (but you can look at SecurityFilter for an example). -Max http://www.securityfilter.org/ - Original Message - From: "Lukas Ćsterreicher" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 19, 2003 9:23 AM Subject: Preserving original request until after login redirect > Hello > > I have recently posted a problem I had and then > was told to look at "Redirecting after Logon". > > As far as I have seen (I think I do not have all posts though) > this is not a solution for me as it uses predefined structures > already hardwired into struts. > > My Problem is the following: > I have user-defined user bean which is put into the > session indicating which user is logged in with that session. > Most pages require the user to be logged in, some do not > (this is checked for in each Action). > > Now, for instance I have a page that lists radio > programs. Clicking on one should display the tracks > that are contained in a specific program. For this > a programId parameter is passed in a form. > > The program list page is browsable without > authentication, but the track list page is not. > > So when the user is already logged the tracklist > will just be displayed, if it is not, the request containing > the programId parameter should be saved, then a login > should be done - displaying a login page where the > user enters username and password and upon login > the user is redirected to the track list page. > > I can manage the redirection ofcorse, but I do not know > how to store and restore the request data properly > (in this case, as redirection is done, also the before > saved request containing the programId parameter > is restored as if the action to which is referred to again > was called by a form (but in this case it is redirected > to from an Action). > > Do you know how to do this? > > Thanx in Advance, > Lukas > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Preserving original request until after login redirect
Hello I have recently posted a problem I had and then was told to look at "Redirecting after Logon". As far as I have seen (I think I do not have all posts though) this is not a solution for me as it uses predefined structures already hardwired into struts. My Problem is the following: I have user-defined user bean which is put into the session indicating which user is logged in with that session. Most pages require the user to be logged in, some do not (this is checked for in each Action). Now, for instance I have a page that lists radio programs. Clicking on one should display the tracks that are contained in a specific program. For this a programId parameter is passed in a form. The program list page is browsable without authentication, but the track list page is not. So when the user is already logged the tracklist will just be displayed, if it is not, the request containing the programId parameter should be saved, then a login should be done - displaying a login page where the user enters username and password and upon login the user is redirected to the track list page. I can manage the redirection ofcorse, but I do not know how to store and restore the request data properly (in this case, as redirection is done, also the before saved request containing the programId parameter is restored as if the action to which is referred to again was called by a form (but in this case it is redirected to from an Action). Do you know how to do this? Thanx in Advance, Lukas - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
automate login to other opensource apps
I have several Struts apps with a form-based single signon using a JNDIRealm with md5 passwords in openldap. I'm looking to pass username/password used in Java login to other apps like horde, dotproject, among others for user convenience. Sync of user account info between db stores used by other projects aside, what's the best (and most secure) way of trapping the password in plaintext to pass to other apps ? Seems like it should be a simple thing to do but getPassword of the Realm doesn't appear to be exposed ? am I missing something obvious ? -- jack - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JAAS Login using LoginAction...
> Anyway, tried the > ideas from this website using JBoss 3.2.1 and Struts 1.1? There's nothing specific to Struts you need concern yourself with. The only thing that's struts related is how you get your login information. I've used one of 2 methods: 1. Used a login.jsp, with username and password. LoginAction and LoginForm or 2. No login form. Use Servlet Filter to see if there's a UserView in the session. If not, redirect to a login screen (see #1 above). Now, the details are more specific to JBoss than Struts, and is really beyond the scope of this mailling list. But.. Here's what I suggest: LoginContext loginContext = new LoginContext("client-login", (CallbackHandler)handler); loginContext.login(); Make sure you have "client-login" defined in your login-config.xml, and its using the org.jboss.security.ClientLoginModule. Your application must define the authentication policy that contains your DatabaseLoginModule. Contact me offlist if you have any other questions. Or better yet, visit the JBoss forums. -- Bryce Fischer <[EMAIL PROTECTED]> - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JAAS Login using LoginAction...
I don't think that the things in this article work. For one thing, they are using an auth.conf file and now everything for login module configuration is stored in the login-config.xml file. Anyway, tried the ideas from this website using JBoss 3.2.1 and Struts 1.1? Keith On Mon, 2003-09-22 at 09:05, Parmar, Dipakkumar wrote: > http://www.theserverside.com/resources/article.jsp?l=JAAS > > > -Original Message- > From: Keith Pemberton [mailto:[EMAIL PROTECTED] > Sent: Sunday, September 21, 2003 11:50 PM > To: [EMAIL PROTECTED] > Subject: JAAS Login using LoginAction... > > > I'm having a bit of trouble trying to login to a Database Realm that I > have setup with JBoss. What I would like to do is to be able to login > to the JAAS SecurityManager using a LoginAction. How is the best way to > go about this. I have tried just doing it by calling the LoginContext > login method after having passed the LoginModule and CallbackHandler. > Do I need to create a specialized ActionServlet to do this? What are > all the important things that I should know on how to authenticate users > by using a Struts Action class? Thanks in advance for your tips! > > Keith Pemberton -- Keith Pemberton <[EMAIL PROTECTED]> - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: JAAS Login using LoginAction...
http://www.theserverside.com/resources/article.jsp?l=JAAS -Original Message- From: Keith Pemberton [mailto:[EMAIL PROTECTED] Sent: Sunday, September 21, 2003 11:50 PM To: [EMAIL PROTECTED] Subject: JAAS Login using LoginAction... I'm having a bit of trouble trying to login to a Database Realm that I have setup with JBoss. What I would like to do is to be able to login to the JAAS SecurityManager using a LoginAction. How is the best way to go about this. I have tried just doing it by calling the LoginContext login method after having passed the LoginModule and CallbackHandler. Do I need to create a specialized ActionServlet to do this? What are all the important things that I should know on how to authenticate users by using a Struts Action class? Thanks in advance for your tips! Keith Pemberton -- Keith Pemberton <[EMAIL PROTECTED]> - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JAAS Login using LoginAction...
Hi Keith, I'm using JAAS with tomcat and it's not incredibly well supported, if at all. I'm not sure if it's the same as what you are talking about. I am using org.apache.catalina.realm.JAASRealm, configured in my tomcat's server.xml. Since I am using container-managed authentication, there is no need for struts to do anything. Struts only ever receives authenticated requests since tomcat sorts that out before letting any through. Adam On 09/22/2003 05:49 AM Keith Pemberton wrote: I'm having a bit of trouble trying to login to a Database Realm that I have setup with JBoss. What I would like to do is to be able to login to the JAAS SecurityManager using a LoginAction. How is the best way to go about this. I have tried just doing it by calling the LoginContext login method after having passed the LoginModule and CallbackHandler. Do I need to create a specialized ActionServlet to do this? What are all the important things that I should know on how to authenticate users by using a Struts Action class? Thanks in advance for your tips! Keith Pemberton -- struts 1.1 + tomcat 4.1.27 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JAAS Login using LoginAction...
I'm having a bit of trouble trying to login to a Database Realm that I have setup with JBoss. What I would like to do is to be able to login to the JAAS SecurityManager using a LoginAction. How is the best way to go about this. I have tried just doing it by calling the LoginContext login method after having passed the LoginModule and CallbackHandler. Do I need to create a specialized ActionServlet to do this? What are all the important things that I should know on how to authenticate users by using a Struts Action class? Thanks in advance for your tips! Keith Pemberton -- Keith Pemberton <[EMAIL PROTECTED]> - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: login test in a jsp page - any suggestions
put your pages inside /WEB-INF/ and do an foward to there... I'm not sure if you have to create an foward at strtus-config or not David Thielen wrote: How can I set things up so people can't get to a jsp page? I can set it up so a jsp page is never in the url - but if someone knows the file name they can still get to it. (And a cardinal rule of security is that an unlisted filename is not very effective protection.) thanks - dave - Original Message - From: "Emerson Cargnin" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, August 26, 2003 2:52 PM Subject: Re: login test in a jsp page - any suggestions isn't it should be better to put his verification at actions? maybe a common super action could validade it, but I think that the jsp should be the last place to put it. Ideally, the jsp's are not even exposed to clients, making the access the view only through actions. David Thielen wrote: Hi; I want to put a test in every jsp page to see if the user is logged in. And if not, to forward them to login.jsp. Is there any way to do this other than putting java code in my jsp? I'm hoping there is some struts system like . (Yes, I can have everything be an action that does this test and then goes to the jsp page - but in that case what if they type the path for the jsp page directly?) thanks - dave -- Emerson Cargnin Analista de Sistemas Setor de Desenvolvimento de Sistemas - TRE-SC tel : (048) - 251-3700 - Ramal 3181 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Emerson Cargnin Analista de Sistemas Setor de Desenvolvimento de Sistemas - TRE-SC tel : (048) - 251-3700 - Ramal 3181 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: login test in a jsp page - any suggestions
Dave, If you put your JSP pages under your WEB-INF directory in your web app, they will be protected from direct access by your users. If you use the action forwards in Struts and only forward to the next page once you validate the current page, you shouldn't have a problem. Use the POST method on your forms. -Richard -Original Message- From: David Thielen [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 8:03 PM To: Struts Users Mailing List Subject: Re: login test in a jsp page - any suggestions How can I set things up so people can't get to a jsp page? I can set it up so a jsp page is never in the url - but if someone knows the file name they can still get to it. (And a cardinal rule of security is that an unlisted filename is not very effective protection.) thanks - dave - Original Message - From: "Emerson Cargnin" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, August 26, 2003 2:52 PM Subject: Re: login test in a jsp page - any suggestions > isn't it should be better to put his verification at actions? maybe a > common super action could validade it, but I think that the jsp should > be the last place to put it. Ideally, the jsp's are not even exposed > to clients, making the access the view only through actions. > > David Thielen wrote: > > Hi; > > > > I want to put a test in every jsp page to see if the user is logged > > in. And if not, to forward them to login.jsp. Is there any way to do this other than putting java code in my jsp? I'm hoping there is some struts system like . > > > > (Yes, I can have everything be an action that does this test and > > then goes to the jsp page - but in that case what if they type the path for the jsp page directly?) > > > > thanks - dave > > > -- > Emerson Cargnin > Analista de Sistemas > Setor de Desenvolvimento de Sistemas - TRE-SC > tel : (048) - 251-3700 - Ramal 3181 > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: login test in a jsp page - any suggestions
I would do this using Servlet Filters. Thanks -- pady [EMAIL PROTECTED] -Original Message- From: David Thielen [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 11:03 PM To: Struts Users Mailing List Subject: Re: login test in a jsp page - any suggestions How can I set things up so people can't get to a jsp page? I can set it up so a jsp page is never in the url - but if someone knows the file name they can still get to it. (And a cardinal rule of security is that an unlisted filename is not very effective protection.) thanks - dave - Original Message - From: "Emerson Cargnin" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, August 26, 2003 2:52 PM Subject: Re: login test in a jsp page - any suggestions > isn't it should be better to put his verification at actions? maybe a > common super action could validade it, but I think that the jsp should > be the last place to put it. Ideally, the jsp's are not even exposed to > clients, making the access the view only through actions. > > David Thielen wrote: > > Hi; > > > > I want to put a test in every jsp page to see if the user is logged in. And if not, to forward them to login.jsp. Is there any way to do this other than putting java code in my jsp? I'm hoping there is some struts system like . > > > > (Yes, I can have everything be an action that does this test and then goes to the jsp page - but in that case what if they type the path for the jsp page directly?) > > > > thanks - dave > > > -- > Emerson Cargnin > Analista de Sistemas > Setor de Desenvolvimento de Sistemas - TRE-SC > tel : (048) - 251-3700 - Ramal 3181 > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: login test in a jsp page - any suggestions
How can I set things up so people can't get to a jsp page? I can set it up so a jsp page is never in the url - but if someone knows the file name they can still get to it. (And a cardinal rule of security is that an unlisted filename is not very effective protection.) thanks - dave - Original Message - From: "Emerson Cargnin" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, August 26, 2003 2:52 PM Subject: Re: login test in a jsp page - any suggestions > isn't it should be better to put his verification at actions? maybe a > common super action could validade it, but I think that the jsp should > be the last place to put it. Ideally, the jsp's are not even exposed to > clients, making the access the view only through actions. > > David Thielen wrote: > > Hi; > > > > I want to put a test in every jsp page to see if the user is logged in. And if not, to forward them to login.jsp. Is there any way to do this other than putting java code in my jsp? I'm hoping there is some struts system like . > > > > (Yes, I can have everything be an action that does this test and then goes to the jsp page - but in that case what if they type the path for the jsp page directly?) > > > > thanks - dave > > > -- > Emerson Cargnin > Analista de Sistemas > Setor de Desenvolvimento de Sistemas - TRE-SC > tel : (048) - 251-3700 - Ramal 3181 > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: login test in a jsp page - any suggestions
I used login as a simple example. But I have another case that is not as simple. I have a 5 page check-out procedure. I want to set it up so that each page will forward to the previous page if the previous page's input fields have not been filled out yet. So each page has to do a different check. In other words, page 1 is the order page. Page 2 is enter your name & address, page 3 is the visa card info. So if they go straight to page 3, I want it to see that the name/address is not entered and go to that page. That page sees that no items are order and forwards to that page. So each page has a unique test and forward to. Any good ideas for this situation? thanks - dave - Original Message - From: "Cezar Nasui" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Tuesday, August 26, 2003 6:56 PM Subject: RE: login test in a jsp page - any suggestions > Hi Dave, > You have more choices to do user authentication, depending on your > application's need, your experience and determination :) > > 1. you can put it in every jsp but just think at the maintenance. Having > to modify all those jsp for one little change is not that fun. > > 2. If you use struts you can check for user in every Action and > depending on the result forward him to the proper page. This again is > difficult to maintain if you have many Actions but it easy to do and > understand > > 3. Extend RequestProcessor class so you can write your code in just one > place. RequestProcessor is called before any Action. I don't have any > link to example but I think someone here will help you with this ;) > > 4. Security constraints / container authentication, related to Tomcat > as I understand is well documented on http://jakarta.apache.com/tomcat/ > The advantage of this method, less code and centralized authentication. > It seems to be the most used method around here > > 5. Filter authentication, similar in a way to container, the same > advantages. Basic you create a class that does the authentication > against database etc, and you modify web.xml file to direct all the > requests by the filter. > > 6. A method I didn't try yet and don't know much about, use of a tag-lib > on every jsp to do the authentication. > > These are the methods I found reading posts going back to 2001 in this > mailing list. I use this link to search the mailing list: > http://marc.theaimsgroup.com/?l=struts-user&r;=1&w;=2 > > HTH, > Cezar > > > -Original Message- > > From: David Thielen [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 26, 2003 4:16 PM > > To: Struts-Users > > Subject: login test in a jsp page - any suggestions > > > > Hi; > > > > I want to put a test in every jsp page to see if the user is logged in. And > > if not, to forward them to login.jsp. Is there any way to do this other than > > putting java code in my jsp? I'm hoping there is some struts system like > > . > > > > > > (Yes, I can have everything be an action that does this test and then goes > > to the jsp page - but in that case what if they type the path for the jsp > > page directly?) > > > > thanks - dave > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: login test in a jsp page - any suggestions
Hi Dave, You have more choices to do user authentication, depending on your application's need, your experience and determination :) 1. you can put it in every jsp but just think at the maintenance. Having to modify all those jsp for one little change is not that fun. 2. If you use struts you can check for user in every Action and depending on the result forward him to the proper page. This again is difficult to maintain if you have many Actions but it easy to do and understand 3. Extend RequestProcessor class so you can write your code in just one place. RequestProcessor is called before any Action. I don't have any link to example but I think someone here will help you with this ;) 4. Security constraints / container authentication, related to Tomcat as I understand is well documented on http://jakarta.apache.com/tomcat/ The advantage of this method, less code and centralized authentication. It seems to be the most used method around here 5. Filter authentication, similar in a way to container, the same advantages. Basic you create a class that does the authentication against database etc, and you modify web.xml file to direct all the requests by the filter. 6. A method I didn't try yet and don't know much about, use of a tag-lib on every jsp to do the authentication. These are the methods I found reading posts going back to 2001 in this mailing list. I use this link to search the mailing list: http://marc.theaimsgroup.com/?l=struts-user&r;=1&w;=2 HTH, Cezar > -Original Message- > From: David Thielen [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 26, 2003 4:16 PM > To: Struts-Users > Subject: login test in a jsp page - any suggestions > > Hi; > > I want to put a test in every jsp page to see if the user is logged in. And > if not, to forward them to login.jsp. Is there any way to do this other than > putting java code in my jsp? I'm hoping there is some struts system like > . > > > (Yes, I can have everything be an action that does this test and then goes > to the jsp page - but in that case what if they type the path for the jsp > page directly?) > > thanks - dave > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: login test in a jsp page - any suggestions
isn't it should be better to put his verification at actions? maybe a common super action could validade it, but I think that the jsp should be the last place to put it. Ideally, the jsp's are not even exposed to clients, making the access the view only through actions. David Thielen wrote: Hi; I want to put a test in every jsp page to see if the user is logged in. And if not, to forward them to login.jsp. Is there any way to do this other than putting java code in my jsp? I'm hoping there is some struts system like . (Yes, I can have everything be an action that does this test and then goes to the jsp page - but in that case what if they type the path for the jsp page directly?) thanks - dave -- Emerson Cargnin Analista de Sistemas Setor de Desenvolvimento de Sistemas - TRE-SC tel : (048) - 251-3700 - Ramal 3181 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: login test in a jsp page - any suggestions
Why not use a servlet filter ? Thanks -- pady [EMAIL PROTECTED] -Original Message- From: David Thielen [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 4:16 PM To: Struts-Users Subject: login test in a jsp page - any suggestions Hi; I want to put a test in every jsp page to see if the user is logged in. And if not, to forward them to login.jsp. Is there any way to do this other than putting java code in my jsp? I'm hoping there is some struts system like . (Yes, I can have everything be an action that does this test and then goes to the jsp page - but in that case what if they type the path for the jsp page directly?) thanks - dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
login test in a jsp page - any suggestions
Hi; I want to put a test in every jsp page to see if the user is logged in. And if not, to forward them to login.jsp. Is there any way to do this other than putting java code in my jsp? I'm hoping there is some struts system like . (Yes, I can have everything be an action that does this test and then goes to the jsp page - but in that case what if they type the path for the jsp page directly?) thanks - dave
RE: User authentication methods (or ways to login a user)
I just went through a whole slew of options, and in the end settled on letting tomcat do form based authentication. It works. Good instructions on it in the tomcat docs. Playing with the app directory structure to get a good fit took a little tweaking, I ended up moving everything around a bunch. the app uses tiles, so I had to sport a secured section and unsecured section... So I have a /app directory that is secured by the container. I also prefixed all my secured actions with /app/show_menu.do (app on the front) which seems to prevent me from calling it directly. Can someone tell me if this is bad? I plan on doing more checking in the actions for levels of access... There also is some tag for struts actions for roles (I should go look that up). > -Original Message- > From: Cezar Nasui [mailto:[EMAIL PROTECTED] > Sent: Monday, August 25, 2003 11:33 PM > To: Struts Users Mailing List > Subject: User authentication methods (or ways to login a user) > > > Hi, > > I'm new to Struts and to getr used to it I developped an > application which has to log in a user by checking records > in a database. After reading more posts about user > authentication I've got puzzled and now I try to clarify this thing. > > I identified the following ways to do the authentication: > 1. session variable on user login, check the variable on > each action 2. filter authentication 3. security contraints > = container authentication (?) 4. using a tag in each jsp > for the validation > > Are there any other methods? > > As for what method should one use I think depends on many > factors like the complexity of the application, habits, etc > but the first method is not for use in applications with > many Actions as you'll need to add session validation code > in each action = more difficult to develop and maintain. > Any other things one should know before considering one of > this methods? > > Thanks, > Cezar > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
User authentication methods (or ways to login a user)
Hi, I'm new to Struts and to getr used to it I developped an application which has to log in a user by checking records in a database. After reading more posts about user authentication I've got puzzled and now I try to clarify this thing. I identified the following ways to do the authentication: 1. session variable on user login, check the variable on each action 2. filter authentication 3. security contraints = container authentication (?) 4. using a tag in each jsp for the validation Are there any other methods? As for what method should one use I think depends on many factors like the complexity of the application, habits, etc but the first method is not for use in applications with many Actions as you'll need to add session validation code in each action = more difficult to develop and maintain. Any other things one should know before considering one of this methods? Thanks, Cezar --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: login request
Dear Eric, >From what I learned of interfaces, I would not need to redefine my checkLogin method in each Action subclass. By saying "public class NewAction extends Action implements LoginCheck", I am able to use the LoginCheck's "checkLogin(request)" method as if it were something I'd defined in my class. I only need to import the class to reference it as "implements LoginCheck" and call it as "checkLogin(request)". The only catch (big one) is that ANY changes to the Interface class would require me to recompile ANY classes implementing it or they will instantly break, according to Sun documentation at: http://java.sun.com/docs/books/tutorial/java/interpack/interfaces.html (see title: Warning! Interfaces Cannot Grow!). Another reason I thought of using Interfaces was to allow me to use that function by "implementing" it within other action sub-classes such as DispatchAction, LookupDispatchAction, etc. rather than making an additional subclass to build off of each of those types. Per my posting earlier today, I figured out how to redefine the Struts 1.1 RequestProcessor class so I can use the action's built-in field 'scope' to my own design. That way, I can have my security information available in the struts-config.xml (or module) file(s). Regards, David -Original Message- From: Jung, Eric (Contractor) [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 1:54 PM To: Struts Users Mailing List Subject: RE: login request David, If you implement it with an interface like you wrote: import com.mycompany.auth.LoginCheck; public class MyAction extends Action implements LoginCheck checkLogin(request) <--- 1st line from within the execute won't you have to write the checkLogin() method in each and every Action in your application? -eric -Original Message- From: David G. Friedman [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 9:42 AM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: Re: login request Dear Andy, I'm doing the same thing you suggest. My approach is to extend the base Action (or any type of Action) class by adding a functon 'checkLogin'. It takes the 'request' as the argument, checks the session for a User bean, and throws an exception if the bean is missing or if the ID number on the bean is zero/unset. In my execute() method I make my first line 'checkLogin(request)' and it handles my authentication. If you try this approach, keep in mind I'm using Struts v1.1 final so I can use exceptions. Tonight I'm going to try switching it to an interface so I can use it to extend any action type by using 3 lines (and without sub-classing): 1. import com.mycompany.auth.LoginCheck; 2. public class MyAction extends Action implements LoginCheck 3. checkLogin(request) <--- 1st line from within the execute or DispatchAction, or LookupDispatchAction method, etc. Regards, David ---Original Message--- From: Andy Richards <[EMAIL PROTECTED]> Sent: 08/20/03 09:46 AM To: [EMAIL PROTECTED] Subject: login request > > Hi, i have created a form and a action which checks to see if a user exists in my database and if so a value object is placed into the session. What i am unsure of is how to a action called everytime a request is made? Can i configure struts-config.xml to send all requests via an action to see if this session object exists, and if not redirect the user to the login page? many thanks Andy -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: login request + ActionServlet RequestProcessor Action
By sub-classing requestProcessor, I can now do my own authentication within Struts. I believe my solution is both simple and i18n compatible so I am sharing it. Sometime later, I'll probably update it to set a session attribute, "refererPage", where I've stored request.getServetPath() so I can use that to return to the appropriate starting page once I've logged in the user. The basics are: 1. Any logged-in user has a session bean named "User" 2. All "User" beans have a method "int getType()" which returns an 'int' giving the member level allowed to use this action (feel free to use this as a controller for a module as well. If you want a user to have multiple levels, switch a simple int to a map, bit-mask, or other design of your choosing. 3. All login-required actions now have a scope set to 'scope="level,loginActionPath"' where level is a number such as 1, and the loginActionPath is something like '/login.do'. Since my '/login.do' calls a tile, this is where i18n should be able, via tiles i18n configs to set you to a page for your language, say "pig-latin" :) 4. RequestProcessor.processRoles() code below. I left in my log statements so you can see what I did in your log and debug it if you want to use it. // add your own imports for things, and your own User class. public class LoginRequestProcessor extends RequestProcessor { protected boolean processRoles(HttpServletRequest request, HttpServletResponse response, ActionMapping mapping) throws IOException, ServletException { int level = 0; String loginAction; User user = null; log("processRoles() started"); // Is this action protected by role requirements? String roles[] = mapping.getRoleNames(); if ((roles == null) || (roles.length < 1)) { log("processRoles() ended: 1, anyone is allowed to use this"); return (true); }; // Return the standard container security failure message if we have // too few scope arguments - need 2, an integer level and a *.do login url if ( roles.length < 2 ) { log("processRoles() ended: 2, false, #(" + roles.length + ") roles='" + mapping.getRoles() + "' listings"); return (false); }; level = Integer.valueOf(roles[0]).intValue(); log("Level required is (" + level + ")"); loginAction = roles[1]; log("loginAction to use may be (" + loginAction + ")"); // No bean? go to the login action user = (User) request.getSession().getAttribute("User"); if ( user == null ) { log("processRoles() ended: 3, no bean, forced login"); log("...loginAction is (" + loginAction + ")"); log("...request.getContextPath() is (" + request.getContextPath() + ")"); response.sendRedirect( request.getContextPath() + loginAction); return(false); }; // Invalid member level? go to the login action? if ( user.getType() < 1 ) { log("processRoles() ended: 4, incorrent member level(" + user.getType() + "), forced login"); response.sendRedirect( request.getContextPath() + loginAction); return(false); }; // We made it: we're logged in somehow, return true log("processRoles() ended: 5, passed all test, welcome to this feature."); return(true); }; If anyone needs it, I the link to the CSV requestProcessor (if you want to see what they do in processRoles) is: http://cvs.apache.org/viewcvs/jakarta-struts/src/share/org/apache/struts/act ion/RequestProcessor.java?rev=1.32&content-type=text/vnd.viewcvs-markup Regards, David -Original Message- From: Andy Richards [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 11:58 AM To: David Friedman Cc: [EMAIL PROTECTED] Subject: Re: login request + ActionServlet RequestProcessor Action Hi david I spent a little to much allocated time on this so I had to move on, and I am going to come back to it at a later date. I have a quick 'hack' (a taglib which checks the session in each jsp) for my prototype to present to the client..Anyway, when i do it i will let you know. What i have found so far though is that by using declarative exception handling in my struts-config.xml the error, i think, needs to be thrown from a action class. If i could do it from my requestProcessor that would be great? I wasnt sure how to configure my app to call processRoles() on evey request, so i overrode the locale method as a test as this was
Re: login request + ActionServlet RequestProcessor Action
Hi david I spent a little to much allocated time on this so I had to move on, and I am going to come back to it at a later date. I have a quick 'hack' (a taglib which checks the session in each jsp) for my prototype to present to the client..Anyway, when i do it i will let you know. What i have found so far though is that by using declarative exception handling in my struts-config.xml the error, i think, needs to be thrown from a action class. If i could do it from my requestProcessor that would be great? I wasnt sure how to configure my app to call processRoles() on evey request, so i overrode the locale method as a test as this was been called eveytime. However because the locale method dosnt throw any exceptions i again ran into problems. So overall what i really would like to do would be to extend requestProcessor with my own custom method which throws my own exception which will be redirected to the appropriate page and called on every request. Sounds easy and probably is to someone who has a better understanding of stuts than i do? Anyway wont give up and will let you know if you are interested? Bank holiday this monday!! so a long relaxing weekend is due before i crack on with this one ; ) cheers Andy On Friday 22 Aug 2003 4:21 pm, you wrote: > Andy, > > Did you get processRoles to work for you? > How do you redirect to the (error) page of > your choice in it? > > Thanks, > David > > -Original Message- > From: Andy Richards [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 21, 2003 9:55 AM > To: Struts Users Mailing List > Subject: Re: login request + ActionServlet RequestProcessor Action > > > Hmm > > Strugling a bit with this one now.?? I have extended requestProcessor and > tried to perform a requestDispatch and responseRedirect, however both fail > as > the error message informs me the reponse has already been submitted. I > thought i may be able to use declarative exception handling with global > exceptions in the stuts config to redirect the user to my login page (but > no joy!). Anyone have any ideas? Also what method should i override in the > RequestProcessor when handling my login? > > many thanks > > Andy > > On Thursday 21 Aug 2003 11:40 am, Kok Wei, Koh wrote: > > Yeah you should only need to define your custom > > AuthenticationRequestProcessor class which extends RequestProcessor in > > controller element of your struts-config.xml. > > > > Andy Richards wrote: > > > Hi Kok > > > > > > Good point, never thought about that! One point towards extending the > > > requestProcessor then, as if i am right i configure this in my > > > struts-config.xml and dont need to extend it from every action class. > > > > > > Thanks > > > > > > Andy > > > > > > On Thursday 21 Aug 2003 10:26 am, Kok Wei, Koh wrote: > > >>Hi Andy, > > >> > > >>I guess the decision boils down to how your application is going to be > > >>written. For a project I worked on couple of weeks back, I ran into a > > >>problem where one of my Actions needs to extend a class to inherit some > > >>functionality, but I was stucked because I need to extend my > > >>"AuthenticationAction" which handles all my user login stuff. > > >> > > >>I can't extend from 2 classes, right? I then went on to research the > > >>RequestProcessor. I used tiles of Struts 1.1 in my project so what I > > >> did was I ported the "AuthenticationAction" code to say > > >>"AuthenticationRequestProcessor" and it extends "TilesRequestProcessor" > > >>which extends the Struts "RequestProcessor". > > >> > > >>So it all depends on if you're gonna run into problems like this? > > >> > > >>My 2 cents. Hope this helps. > > >> > > >>Andy Richards wrote: > > >>>Hi > > >>> > > >>>After deciding which approach to take and reading a few of my struts > > >>>books about the controller object ; ) I am now confused as which is > > >>> the most appropriate class to extend to perform my login > > >>> functionality. David suggests extending the base action class, > > >>> however i have read that the RequestProcessor class was added to > > >>> struts1.1 to extend the ActionServlet. From what i can see this class > > >>> handles all requests and one of its methods calls the appropriate > > >>> action. Therefore which would be the better class to extend > > >&g
Page After Login - Refresh problem
Hello, I used Struts to develop a web app which has a login form to permit access to different functionnalities via a menu page. I use a session var I set at login to check if the user has not logged out. The problem that I have is, once I do the logoff, if I use the Back button of the browser to the menu page and do a refresh a new session gets created and I'm able to use the app. I have a filter to do the verification but I tried before doing it in each Action and I have the same problem. I don't access .jsp pages directly, I have an Action for each of them. I read some posts but none seems to talk about my specific problem. It sounds like a begginer caveat but I have no idea what should I do or what am I doing wrong. Any help appreciated, Cezar --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: login request + ActionServlet RequestProcessor Action
Hmm Strugling a bit with this one now.?? I have extended requestProcessor and tried to perform a requestDispatch and responseRedirect, however both fail as the error message informs me the reponse has already been submitted. I thought i may be able to use declarative exception handling with global exceptions in the stuts config to redirect the user to my login page (but no joy!). Anyone have any ideas? Also what method should i override in the RequestProcessor when handling my login? many thanks Andy On Thursday 21 Aug 2003 11:40 am, Kok Wei, Koh wrote: > Yeah you should only need to define your custom > AuthenticationRequestProcessor class which extends RequestProcessor in > controller element of your struts-config.xml. > > Andy Richards wrote: > > Hi Kok > > > > Good point, never thought about that! One point towards extending the > > requestProcessor then, as if i am right i configure this in my > > struts-config.xml and dont need to extend it from every action class. > > > > Thanks > > > > Andy > > > > On Thursday 21 Aug 2003 10:26 am, Kok Wei, Koh wrote: > >>Hi Andy, > >> > >>I guess the decision boils down to how your application is going to be > >>written. For a project I worked on couple of weeks back, I ran into a > >>problem where one of my Actions needs to extend a class to inherit some > >>functionality, but I was stucked because I need to extend my > >>"AuthenticationAction" which handles all my user login stuff. > >> > >>I can't extend from 2 classes, right? I then went on to research the > >>RequestProcessor. I used tiles of Struts 1.1 in my project so what I did > >>was I ported the "AuthenticationAction" code to say > >>"AuthenticationRequestProcessor" and it extends "TilesRequestProcessor" > >>which extends the Struts "RequestProcessor". > >> > >>So it all depends on if you're gonna run into problems like this? > >> > >>My 2 cents. Hope this helps. > >> > >>Andy Richards wrote: > >>>Hi > >>> > >>>After deciding which approach to take and reading a few of my struts > >>>books about the controller object ; ) I am now confused as which is the > >>>most appropriate class to extend to perform my login functionality. > >>> David suggests extending the base action class, however i have read > >>> that the RequestProcessor class was added to struts1.1 to extend the > >>>ActionServlet. From what i can see this class handles all requests and > >>>one of its methods calls the appropriate action. Therefore which would > >>> be the better class to extend ActionServlet, RequestProcessor or > >>> Action. Any ideas.? > >>> > >>>thanks > >>> > >>>Andy > >>> > >>>On Wednesday 20 Aug 2003 2:41 pm, David G. Friedman wrote: > >>>>Dear Andy, > >>>> > >>>>I'm doing the same thing you suggest. My approach is > >>>>to extend the base Action (or any type of Action) class > >>>>by adding a functon 'checkLogin'. It takes the 'request' > >>>>as the argument, checks the session for a User bean, and > >>>>throws an exception if the bean is missing or if the ID > >>>>number on the bean is zero/unset. In my execute() method > >>>>I make my first line 'checkLogin(request)' and it handles > >>>>my authentication. > >>>> > >>>>If you try this approach, keep in mind I'm using Struts > >>>>v1.1 final so I can use exceptions. > >>>> > >>>>Tonight I'm going to try switching it to an interface so > >>>>I can use it to extend any action type by using 3 lines > >>>>(and without sub-classing): > >>>> > >>>>1. import com.mycompany.auth.LoginCheck; > >>>>2. public class MyAction extends Action implements LoginCheck > >>>>3. checkLogin(request) <--- 1st line from within the execute > >>>>or DispatchAction, or LookupDispatchAction method, etc. > >>>> > >>>>Regards, > >>>>David > >>>> > >>>>---Original Message--- > >>>>From: Andy Richards <[EMAIL PROTECTED]> > >>>>Sent: 08/20/03 09:46 AM > >>>>To: [EMAIL PROTECTED] > >>>>Subject: login request > &g
Re: login request + ActionServlet RequestProcessor Action
Yeah you should only need to define your custom AuthenticationRequestProcessor class which extends RequestProcessor in controller element of your struts-config.xml. Andy Richards wrote: Hi Kok Good point, never thought about that! One point towards extending the requestProcessor then, as if i am right i configure this in my struts-config.xml and dont need to extend it from every action class. Thanks Andy On Thursday 21 Aug 2003 10:26 am, Kok Wei, Koh wrote: Hi Andy, I guess the decision boils down to how your application is going to be written. For a project I worked on couple of weeks back, I ran into a problem where one of my Actions needs to extend a class to inherit some functionality, but I was stucked because I need to extend my "AuthenticationAction" which handles all my user login stuff. I can't extend from 2 classes, right? I then went on to research the RequestProcessor. I used tiles of Struts 1.1 in my project so what I did was I ported the "AuthenticationAction" code to say "AuthenticationRequestProcessor" and it extends "TilesRequestProcessor" which extends the Struts "RequestProcessor". So it all depends on if you're gonna run into problems like this? My 2 cents. Hope this helps. Andy Richards wrote: Hi After deciding which approach to take and reading a few of my struts books about the controller object ; ) I am now confused as which is the most appropriate class to extend to perform my login functionality. David suggests extending the base action class, however i have read that the RequestProcessor class was added to struts1.1 to extend the ActionServlet. From what i can see this class handles all requests and one of its methods calls the appropriate action. Therefore which would be the better class to extend ActionServlet, RequestProcessor or Action. Any ideas.? thanks Andy On Wednesday 20 Aug 2003 2:41 pm, David G. Friedman wrote: Dear Andy, I'm doing the same thing you suggest. My approach is to extend the base Action (or any type of Action) class by adding a functon 'checkLogin'. It takes the 'request' as the argument, checks the session for a User bean, and throws an exception if the bean is missing or if the ID number on the bean is zero/unset. In my execute() method I make my first line 'checkLogin(request)' and it handles my authentication. If you try this approach, keep in mind I'm using Struts v1.1 final so I can use exceptions. Tonight I'm going to try switching it to an interface so I can use it to extend any action type by using 3 lines (and without sub-classing): 1. import com.mycompany.auth.LoginCheck; 2. public class MyAction extends Action implements LoginCheck 3. checkLogin(request) <--- 1st line from within the execute or DispatchAction, or LookupDispatchAction method, etc. Regards, David ---Original Message--- From: Andy Richards <[EMAIL PROTECTED]> Sent: 08/20/03 09:46 AM To: [EMAIL PROTECTED] Subject: login request Hi, i have created a form and a action which checks to see if a user exists in my database and if so a value object is placed into the session. What i am unsure of is how to a action called everytime a request is made? Can i configure struts-config.xml to send all requests via an action to see if this session object exists, and if not redirect the user to the login page? many thanks Andy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: login request + ActionServlet RequestProcessor Action
Although I am extending Action class as of now but extending Requestprocessor should be a better choice. After all ActionServlet, after all the initializations, delegates control to RequestProcessor. Let's keep ActionServlet only for one time inits. hth Navjot Singh |-Original Message- |From: Andy Richards [mailto:[EMAIL PROTECTED] |Sent: Thursday, August 21, 2003 2:19 PM |To: Struts Users Mailing List |Subject: Re: login request + ActionServlet RequestProcessor Action | | |Hi | |After deciding which approach to take and reading a few of my struts books |about the controller object ; ) I am now confused as which is the most |appropriate class to extend to perform my login functionality. |David suggests |extending the base action class, however i have read that the |RequestProcessor class was added to struts1.1 to extend the ActionServlet. |From what i can see this class handles all requests and one of its methods |calls the appropriate action. Therefore which would be the better class to |extend ActionServlet, RequestProcessor or Action. Any ideas.? | |thanks | |Andy | |On Wednesday 20 Aug 2003 2:41 pm, David G. Friedman wrote: |> Dear Andy, |> |> I'm doing the same thing you suggest. My approach is |> to extend the base Action (or any type of Action) class |> by adding a functon 'checkLogin'. It takes the 'request' |> as the argument, checks the session for a User bean, and |> throws an exception if the bean is missing or if the ID |> number on the bean is zero/unset. In my execute() method |> I make my first line 'checkLogin(request)' and it handles |> my authentication. |> |> If you try this approach, keep in mind I'm using Struts |> v1.1 final so I can use exceptions. |> |> Tonight I'm going to try switching it to an interface so |> I can use it to extend any action type by using 3 lines |> (and without sub-classing): |> |> 1. import com.mycompany.auth.LoginCheck; |> 2. public class MyAction extends Action implements LoginCheck |> 3. checkLogin(request) <--- 1st line from within the execute |> or DispatchAction, or LookupDispatchAction method, etc. |> |> Regards, |> David |> |> ---Original Message--- |> From: Andy Richards <[EMAIL PROTECTED]> |> Sent: 08/20/03 09:46 AM |> To: [EMAIL PROTECTED] |> Subject: login request |> |> > Hi, i have created a form and a action which checks to see if a user |> |> exists |> in |> my database and if so a value object is placed into the session. |What i am |> |> |> unsure of is how to a action called everytime a request is made? Can i |> configure struts-config.xml to send all requests via an action to see if |> this |> session object exists, and if not redirect the user to the login page? |> |> many thanks |> |> Andy | |- |To unsubscribe, e-mail: [EMAIL PROTECTED] |For additional commands, e-mail: [EMAIL PROTECTED] | | - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: login request + ActionServlet RequestProcessor Action
Hi Kok Good point, never thought about that! One point towards extending the requestProcessor then, as if i am right i configure this in my struts-config.xml and dont need to extend it from every action class. Thanks Andy On Thursday 21 Aug 2003 10:26 am, Kok Wei, Koh wrote: > Hi Andy, > > I guess the decision boils down to how your application is going to be > written. For a project I worked on couple of weeks back, I ran into a > problem where one of my Actions needs to extend a class to inherit some > functionality, but I was stucked because I need to extend my > "AuthenticationAction" which handles all my user login stuff. > > I can't extend from 2 classes, right? I then went on to research the > RequestProcessor. I used tiles of Struts 1.1 in my project so what I did > was I ported the "AuthenticationAction" code to say > "AuthenticationRequestProcessor" and it extends "TilesRequestProcessor" > which extends the Struts "RequestProcessor". > > So it all depends on if you're gonna run into problems like this? > > My 2 cents. Hope this helps. > > Andy Richards wrote: > > Hi > > > > After deciding which approach to take and reading a few of my struts > > books about the controller object ; ) I am now confused as which is the > > most appropriate class to extend to perform my login functionality. David > > suggests extending the base action class, however i have read that the > > RequestProcessor class was added to struts1.1 to extend the > > ActionServlet. From what i can see this class handles all requests and > > one of its methods calls the appropriate action. Therefore which would be > > the better class to extend ActionServlet, RequestProcessor or Action. > > Any ideas.? > > > > thanks > > > > Andy > > > > On Wednesday 20 Aug 2003 2:41 pm, David G. Friedman wrote: > >>Dear Andy, > >> > >>I'm doing the same thing you suggest. My approach is > >>to extend the base Action (or any type of Action) class > >>by adding a functon 'checkLogin'. It takes the 'request' > >>as the argument, checks the session for a User bean, and > >>throws an exception if the bean is missing or if the ID > >>number on the bean is zero/unset. In my execute() method > >>I make my first line 'checkLogin(request)' and it handles > >>my authentication. > >> > >>If you try this approach, keep in mind I'm using Struts > >>v1.1 final so I can use exceptions. > >> > >>Tonight I'm going to try switching it to an interface so > >>I can use it to extend any action type by using 3 lines > >>(and without sub-classing): > >> > >>1. import com.mycompany.auth.LoginCheck; > >>2. public class MyAction extends Action implements LoginCheck > >>3. checkLogin(request) <--- 1st line from within the execute > >>or DispatchAction, or LookupDispatchAction method, etc. > >> > >>Regards, > >>David > >> > >>---Original Message--- > >>From: Andy Richards <[EMAIL PROTECTED]> > >>Sent: 08/20/03 09:46 AM > >>To: [EMAIL PROTECTED] > >>Subject: login request > >> > >>>Hi, i have created a form and a action which checks to see if a user > >> > >>exists > >>in > >>my database and if so a value object is placed into the session. What i > >> am > >> > >> > >>unsure of is how to a action called everytime a request is made? Can i > >>configure struts-config.xml to send all requests via an action to see if > >>this > >>session object exists, and if not redirect the user to the login page? > >> > >>many thanks > >> > >>Andy > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: login request + ActionServlet RequestProcessor Action
Hi Andy, I guess the decision boils down to how your application is going to be written. For a project I worked on couple of weeks back, I ran into a problem where one of my Actions needs to extend a class to inherit some functionality, but I was stucked because I need to extend my "AuthenticationAction" which handles all my user login stuff. I can't extend from 2 classes, right? I then went on to research the RequestProcessor. I used tiles of Struts 1.1 in my project so what I did was I ported the "AuthenticationAction" code to say "AuthenticationRequestProcessor" and it extends "TilesRequestProcessor" which extends the Struts "RequestProcessor". So it all depends on if you're gonna run into problems like this? My 2 cents. Hope this helps. Andy Richards wrote: Hi After deciding which approach to take and reading a few of my struts books about the controller object ; ) I am now confused as which is the most appropriate class to extend to perform my login functionality. David suggests extending the base action class, however i have read that the RequestProcessor class was added to struts1.1 to extend the ActionServlet. From what i can see this class handles all requests and one of its methods calls the appropriate action. Therefore which would be the better class to extend ActionServlet, RequestProcessor or Action. Any ideas.? thanks Andy On Wednesday 20 Aug 2003 2:41 pm, David G. Friedman wrote: Dear Andy, I'm doing the same thing you suggest. My approach is to extend the base Action (or any type of Action) class by adding a functon 'checkLogin'. It takes the 'request' as the argument, checks the session for a User bean, and throws an exception if the bean is missing or if the ID number on the bean is zero/unset. In my execute() method I make my first line 'checkLogin(request)' and it handles my authentication. If you try this approach, keep in mind I'm using Struts v1.1 final so I can use exceptions. Tonight I'm going to try switching it to an interface so I can use it to extend any action type by using 3 lines (and without sub-classing): 1. import com.mycompany.auth.LoginCheck; 2. public class MyAction extends Action implements LoginCheck 3. checkLogin(request) <--- 1st line from within the execute or DispatchAction, or LookupDispatchAction method, etc. Regards, David ---Original Message--- From: Andy Richards <[EMAIL PROTECTED]> Sent: 08/20/03 09:46 AM To: [EMAIL PROTECTED] Subject: login request Hi, i have created a form and a action which checks to see if a user exists in my database and if so a value object is placed into the session. What i am unsure of is how to a action called everytime a request is made? Can i configure struts-config.xml to send all requests via an action to see if this session object exists, and if not redirect the user to the login page? many thanks Andy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: login request + ActionServlet RequestProcessor Action
Hi After deciding which approach to take and reading a few of my struts books about the controller object ; ) I am now confused as which is the most appropriate class to extend to perform my login functionality. David suggests extending the base action class, however i have read that the RequestProcessor class was added to struts1.1 to extend the ActionServlet. From what i can see this class handles all requests and one of its methods calls the appropriate action. Therefore which would be the better class to extend ActionServlet, RequestProcessor or Action. Any ideas.? thanks Andy On Wednesday 20 Aug 2003 2:41 pm, David G. Friedman wrote: > Dear Andy, > > I'm doing the same thing you suggest. My approach is > to extend the base Action (or any type of Action) class > by adding a functon 'checkLogin'. It takes the 'request' > as the argument, checks the session for a User bean, and > throws an exception if the bean is missing or if the ID > number on the bean is zero/unset. In my execute() method > I make my first line 'checkLogin(request)' and it handles > my authentication. > > If you try this approach, keep in mind I'm using Struts > v1.1 final so I can use exceptions. > > Tonight I'm going to try switching it to an interface so > I can use it to extend any action type by using 3 lines > (and without sub-classing): > > 1. import com.mycompany.auth.LoginCheck; > 2. public class MyAction extends Action implements LoginCheck > 3. checkLogin(request) <--- 1st line from within the execute > or DispatchAction, or LookupDispatchAction method, etc. > > Regards, > David > > ---Original Message--- > From: Andy Richards <[EMAIL PROTECTED]> > Sent: 08/20/03 09:46 AM > To: [EMAIL PROTECTED] > Subject: login request > > > Hi, i have created a form and a action which checks to see if a user > > exists > in > my database and if so a value object is placed into the session. What i am > > > unsure of is how to a action called everytime a request is made? Can i > configure struts-config.xml to send all requests via an action to see if > this > session object exists, and if not redirect the user to the login page? > > many thanks > > Andy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: login request
Thank you ... I would liked to have used a filter as this was my first idea, however my clients app must be deployed onto their raq550 server which supports only tomcat 3. I believe only tomcat 4 supports filters(or the servlet spec it uses)? I believe i will follow davids example and extend the base action class as this seems to be my only option. This dosnt seem as elegent as a filter but does seems to be the most elegent alternative thanks david : ), unless anyone else has any better ideas? Most helpful allthanks again Andy On Wednesday 20 Aug 2003 2:41 pm, David G. Friedman wrote: > Dear Andy, > > I'm doing the same thing you suggest. My approach is > to extend the base Action (or any type of Action) class > by adding a functon 'checkLogin'. It takes the 'request' > as the argument, checks the session for a User bean, and > throws an exception if the bean is missing or if the ID > number on the bean is zero/unset. In my execute() method > I make my first line 'checkLogin(request)' and it handles > my authentication. > > If you try this approach, keep in mind I'm using Struts > v1.1 final so I can use exceptions. > > Tonight I'm going to try switching it to an interface so > I can use it to extend any action type by using 3 lines > (and without sub-classing): > > 1. import com.mycompany.auth.LoginCheck; > 2. public class MyAction extends Action implements LoginCheck > 3. checkLogin(request) <--- 1st line from within the execute > or DispatchAction, or LookupDispatchAction method, etc. > > Regards, > David > > ---Original Message--- > From: Andy Richards <[EMAIL PROTECTED]> > Sent: 08/20/03 09:46 AM > To: [EMAIL PROTECTED] > Subject: login request > > > Hi, i have created a form and a action which checks to see if a user > > exists > in > my database and if so a value object is placed into the session. What i am > > > unsure of is how to a action called everytime a request is made? Can i > configure struts-config.xml to send all requests via an action to see if > this > session object exists, and if not redirect the user to the login page? > > many thanks > > Andy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: login request
David, If you implement it with an interface like you wrote: import com.mycompany.auth.LoginCheck; public class MyAction extends Action implements LoginCheck checkLogin(request) <--- 1st line from within the execute won't you have to write the checkLogin() method in each and every Action in your application? -eric -Original Message- From: David G. Friedman [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 9:42 AM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: Re: login request Dear Andy, I'm doing the same thing you suggest. My approach is to extend the base Action (or any type of Action) class by adding a functon 'checkLogin'. It takes the 'request' as the argument, checks the session for a User bean, and throws an exception if the bean is missing or if the ID number on the bean is zero/unset. In my execute() method I make my first line 'checkLogin(request)' and it handles my authentication. If you try this approach, keep in mind I'm using Struts v1.1 final so I can use exceptions. Tonight I'm going to try switching it to an interface so I can use it to extend any action type by using 3 lines (and without sub-classing): 1. import com.mycompany.auth.LoginCheck; 2. public class MyAction extends Action implements LoginCheck 3. checkLogin(request) <--- 1st line from within the execute or DispatchAction, or LookupDispatchAction method, etc. Regards, David ---Original Message--- From: Andy Richards <[EMAIL PROTECTED]> Sent: 08/20/03 09:46 AM To: [EMAIL PROTECTED] Subject: login request > > Hi, i have created a form and a action which checks to see if a user exists in my database and if so a value object is placed into the session. What i am unsure of is how to a action called everytime a request is made? Can i configure struts-config.xml to send all requests via an action to see if this session object exists, and if not redirect the user to the login page? many thanks Andy -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: login request
Dear Andy, I'm doing the same thing you suggest. My approach is to extend the base Action (or any type of Action) class by adding a functon 'checkLogin'. It takes the 'request' as the argument, checks the session for a User bean, and throws an exception if the bean is missing or if the ID number on the bean is zero/unset. In my execute() method I make my first line 'checkLogin(request)' and it handles my authentication. If you try this approach, keep in mind I'm using Struts v1.1 final so I can use exceptions. Tonight I'm going to try switching it to an interface so I can use it to extend any action type by using 3 lines (and without sub-classing): 1. import com.mycompany.auth.LoginCheck; 2. public class MyAction extends Action implements LoginCheck 3. checkLogin(request) <--- 1st line from within the execute or DispatchAction, or LookupDispatchAction method, etc. Regards, David ---Original Message--- From: Andy Richards <[EMAIL PROTECTED]> Sent: 08/20/03 09:46 AM To: [EMAIL PROTECTED] Subject: login request > > Hi, i have created a form and a action which checks to see if a user exists in my database and if so a value object is placed into the session. What i am unsure of is how to a action called everytime a request is made? Can i configure struts-config.xml to send all requests via an action to see if this session object exists, and if not redirect the user to the login page? many thanks Andy -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: login request
You can use a filter to intercept all requests to a particular URL pattern and check for your object in session. A filter is similar to a servlet in that it's a piece of code that gets passed the request and response objects and operates on them; but it's invocation is unique, because it's called by the container before honoring the original request. You can write your own filter or use something like www.securityfilter.org Or, as Craig McClanahan wrote: "subclass RequestProcessor and override one of the processXxx methods to perform this check for you." See his full post below. HTH, -Sasha Craig's post: > If you have followed the recommended Struts design practice of flowing > *all* requests through the controller servlet, then it's really easy to do > this -- subclass RequestProcessor and override one of the processXxx > methods to perform this check for you. > > If you have direct hyperlinks to JSP pages, then you can use a Filter if > you're on a Servlet 2.3 or later container; otherwise, you're stuck having > to modify your 60 pages. If you have to modify things anyway, you're > strongly encouraged to follow the recommended design pattern and flow > things through the controller, so you can do things like this in one > place. > > Craig On 8/20/03 8:46, "Andy Richards" <[EMAIL PROTECTED]> wrote: > Hi, i have created a form and a action which checks to see if a user exists in > my database and if so a value object is placed into the session. What i am > unsure of is how to a action called everytime a request is made? Can i > configure struts-config.xml to send all requests via an action to see if this > session object exists, and if not redirect the user to the login page? > > many thanks > > Andy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
login request
Hi, i have created a form and a action which checks to see if a user exists in my database and if so a value object is placed into the session. What i am unsure of is how to a action called everytime a request is made? Can i configure struts-config.xml to send all requests via an action to see if this session object exists, and if not redirect the user to the login page? many thanks Andy -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: New Bie : org.apache.jasper.JasperException: Cannot retrieve mapping for action /login
Hi, This is my first Struts app, I have a login.jsp in which I have declared a form tag with action as login.do and I have two buttons(a login button and a browse button) on the page. I have written a form bean and an action class also. While trying to access login.jsp I get an "Internal Server Error". I have appended the struts-config.xml and the exception that I get. Kindly help me out. The following is an extract from struts-config.xml: http://jakarta.apache.org/struts/dtds/struts-config_1_0.dtd";> The Stack trace: org.apache.jasper.JasperException: Cannot retrieve mapping for action /login at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2 48) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:289) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:240) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:193) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2 46) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2347) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180 ) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve. java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170 ) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:468) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java: 1027) at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1125 ) at java.lang.Thread.run(Thread.java:536) Thanks, Seshadhri Srinivasan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: New Bie : org.apache.jasper.JasperException: Cannot retrieve mapping foraction /login
probably because the error message says login whilst your config says /Login your config should say From: Seshadhri Srinivasan <[EMAIL PROTECTED]> Reply-To: "Struts Users Mailing List" <[EMAIL PROTECTED]> To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]> CC: "Balabaskaran, Kanagasabai" <[EMAIL PROTECTED]> Subject: RE: New Bie : org.apache.jasper.JasperException: Cannot retrieve mapping for action /login Date: Wed, 6 Aug 2003 11:50:55 +0530 Hi, This is my first Struts app, I have a login.jsp in which I have declared a form tag with action as login.do and I have two buttons(a login button and a browse button) on the page. I have written a form bean and an action class also. While trying to access login.jsp I get an "Internal Server Error". I have appended the struts-config.xml and the exception that I get. Kindly help me out. The following is an extract from struts-config.xml: http://jakarta.apache.org/struts/dtds/struts-config_1_0.dtd";> The Stack trace: org.apache.jasper.JasperException: Cannot retrieve mapping for action /login at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2 48) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:289) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:240) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:193) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2 46) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2347) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180 ) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve. java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170 ) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:468) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java: 1027) at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1125 ) at java.lang.Thread.run(Thread.java:536) Thanks, Seshadhri Srinivasan - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: login for half my action mappings, leaving other half unsecured
On Thu, 17 Jul 2003, Adam Hardy wrote: > Date: Thu, 17 Jul 2003 11:34:49 +0200 > From: Adam Hardy <[EMAIL PROTECTED]> > Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]> > To: Struts Users Mailing List <[EMAIL PROTECTED]> > Subject: login for half my action mappings, leaving other half unsecured > > In some of my action mappings I am providing XML output for anybody and > it shouldn't be protected by any web.xml security-constraint, but for > the rest, I need login security which I already have set up. > > What I have come up with after a slight false start is a plan to have > all my secured requests go to /secure/*.do > > This way I can map the *.do to the action servlet, and I can map the > security-constraint to the /secure/* > > The only doubt I have is that my action mappings in struts-config have a > path that looks like path="/secure/dostuff" which I am not used to since > I haven't used a pseudo-directory in my mapping path before. Is this OK, > or am I barking up the wrong tree again? > No, you're doing it right, as long as you continue to map the Struts controller servlet to the "*.do" pattern, and map your security constraints to the "/secure/*" pattern. The place where they overlap (action paths within the "/secure" area) are exactly the ones that will be protected by the constraint, while all other actions will continue to be accessible to anyone. > Thanks > Adam Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
more about login
I've hit a conflict in my security set-up. I am using container-managed security with the FORM option and so far I have a login.jsp and an error.jsp which work fine. The conflict is now that I want to put my JSPs in my WEB-INF directory for protection's sake. Tomcat can't handle this because it can't see the login and error pages under WEB-INF. The only options I think I have is (a) use html files not under WEB-INF or (b) set up an action forward mapping to inside WEB-INF I want to use JSPs and not just html files because I want to localise them for language etc. But I am not sure about (b) being advisable or working in any other container - in fact I haven't tested it with tomcat yet. Any comments? Thanks Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
login for half my action mappings, leaving other half unsecured
In some of my action mappings I am providing XML output for anybody and it shouldn't be protected by any web.xml security-constraint, but for the rest, I need login security which I already have set up. What I have come up with after a slight false start is a plan to have all my secured requests go to /secure/*.do This way I can map the *.do to the action servlet, and I can map the security-constraint to the /secure/* The only doubt I have is that my action mappings in struts-config have a path that looks like path="/secure/dostuff" which I am not used to since I haven't used a pseudo-directory in my mapping path before. Is this OK, or am I barking up the wrong tree again? Thanks Adam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: login framework
HttpServletRequest has a method called getHeader(String name) use that with a paramater of "Referer" which will give you the page the user came from. Look at the Servlet specification for all your other answers. --Amit -Original Message- From: Ashish Kulkarni [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 15, 2003 2:42 PM To: [EMAIL PROTECTED] Subject: login framework Hi, I have a following requirement, there are 2 links on a webpage, when the user clicks on 1st link show the user login screen if he is not logged in( ihave login info in session), if the login is valid forward the request to 1st html page, if the user clicks on 2nd link, again show the login screen (if not logged in), and if the login is valid forward the request to 2nd html page. So how do i define in struts-config file to handle this, I want some mechanism to remember from which page the request came and which page is must be redirected, and what where the parameters in the request. It is some thing like on ebay, where the user has to login each time he tries to checkout Any suggestions about it Ashish __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
login framework
Hi, I have a following requirement, there are 2 links on a webpage, when the user clicks on 1st link show the user login screen if he is not logged in( ihave login info in session), if the login is valid forward the request to 1st html page, if the user clicks on 2nd link, again show the login screen (if not logged in), and if the login is valid forward the request to 2nd html page. So how do i define in struts-config file to handle this, I want some mechanism to remember from which page the request came and which page is must be redirected, and what where the parameters in the request. It is some thing like on ebay, where the user has to login each time he tries to checkout Any suggestions about it Ashish __ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Form
On Thu, 10 Jul 2003, Erez Efrati wrote: > Date: Thu, 10 Jul 2003 20:29:11 +0200 > From: Erez Efrati <[EMAIL PROTECTED]> > Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]> > To: 'Struts Users Mailing List' <[EMAIL PROTECTED]> > Subject: RE: Login Form > > Yep, I've done that and it's compiling... but like any other programming > story, we must suffer first I guess before seeing some results and a > smile. > Anyway, I've started using it but I got the following error: > > What does it mean? > Since this issue doesn't have anything to do with Struts any more, would you folks mind continuing the conversation separately? > Thanks, > Erez Craig > > 21:20:09,268 ERROR [Digester] Begin event threw exception > java.lang.ClassNotFoundException: No ClassLoaders found for: > org.securityfilter.config.SecurityConstraint > at org.jboss.mx.loading.LoadMgr.beginLoadTask(LoadMgr.java:156) > at > org.jboss.mx.loading.UnifiedClassLoader3.loadClass(UnifiedClassLoader3.j > ava:161) > at java.lang.ClassLoader.loadClass(ClassLoader.java:255) > at > org.apache.commons.digester.ObjectCreateRule.begin(ObjectCreateRule.java > :252) > at org.apache.commons.digester.Rule.begin(Rule.java:200) > at > org.apache.commons.digester.Digester.startElement(Digester.java:1268) > at > org.apache.crimson.parser.Parser2.maybeElement(Parser2.java:1490) > at org.apache.crimson.parser.Parser2.content(Parser2.java:1779) > at > org.apache.crimson.parser.Parser2.maybeElement(Parser2.java:1507) > at > org.apache.crimson.parser.Parser2.parseInternal(Parser2.java:500) > at org.apache.crimson.parser.Parser2.parse(Parser2.java:305) > at > org.apache.crimson.parser.XMLReaderImpl.parse(XMLReaderImpl.java:442) > at > org.apache.commons.digester.Digester.parse(Digester.java:1543) > at > org.securityfilter.config.SecurityConfig.loadConfig(SecurityConfig.java: > 276) > at > org.securityfilter.filter.SecurityFilter.init(SecurityFilter.java:220) > at > org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFi > lterConfig.java:266) > at > org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(Applicatio > nFilterConfig.java:327) > at > org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilte > rConfig.java:120) > at > org.apache.catalina.core.StandardContext.filterStart(StandardContext.jav > a:3158) > at > org.apache.catalina.core.StandardContext.start(StandardContext.java:3602 > ) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.ja > va:821) > at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:807) > at > org.apache.catalina.core.StandardHost.addChild(StandardHost.java:579) > at > org.jboss.web.catalina.EmbeddedCatalinaService41.createWebContext(Embedd > edCatalinaService41.java:432) > at > org.jboss.web.catalina.EmbeddedCatalinaService41.performDeploy(EmbeddedC > atalinaService41.java:306) > at > org.jboss.web.AbstractWebContainer.start(AbstractWebContainer.java:301) > at > org.jboss.deployment.MainDeployer.start(MainDeployer.java:814) > at > org.jboss.deployment.MainDeployer.start(MainDeployer.java:806) > at > org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:627) > at > org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:591) > at sun.reflect.GeneratedMethodAccessor10.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor > Impl.java:25) > at java.lang.reflect.Method.invoke(Method.java:324) > at > org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDi > spatcher.java:284) > at > org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:517) > at org.jboss.util.jmx.MBeanProxy.invoke(MBeanProxy.java:174) > at $Proxy3.deploy(Unknown Source) > at > org.jboss.deployment.scanner.URLDeploymentScanner.deploy(URLDeploymentSc > anner.java:435) > at > org.jboss.deployment.scanner.URLDeploymentScanner.scan(URLDeploymentScan > ner.java:561) > at > org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.doS > can(AbstractDeploymentScanner.java:217) > at > org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.loo > p(AbstractDeploymentScanner.java:230) > at > org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.run > (AbstractDeploymentScanner.java:207) > 21:20:09,288 ERROR [STDERR] unable to parse input: > java.lang.Class
RE: Login Form
11,722 INFO [ValidatorResources] Add ValidatorAction: requiredif,org.apache.struts.validator.FieldChecks 21:20:11,732 INFO [ValidatorResources] Add ValidatorAction: minlength,org.apache.struts.validator.FieldChecks 21:20:11,742 INFO [ValidatorResources] Add ValidatorAction: maxlength,org.apache.struts.validator.FieldChecks 21:20:11,782 INFO [ValidatorResources] Add ValidatorAction: mask,org.apache.struts.validator.FieldChecks 21:20:11,852 INFO [ValidatorResources] Add ValidatorAction: byte,org.apache.struts.validator.FieldChecks 21:20:11,862 INFO [ValidatorResources] Add ValidatorAction: short,org.apache.struts.validator.FieldChecks 21:20:11,882 INFO [ValidatorResources] Add ValidatorAction: integer,org.apache.struts.validator.FieldChecks 21:20:11,902 INFO [ValidatorResources] Add ValidatorAction: long,org.apache.struts.validator.FieldChecks 21:20:11,942 INFO [ValidatorResources] Add ValidatorAction: float,org.apache.struts.validator.FieldChecks 21:20:11,952 INFO [ValidatorResources] Add ValidatorAction: double,org.apache.struts.validator.FieldChecks 21:20:11,972 INFO [ValidatorResources] Add ValidatorAction: date,org.apache.struts.validator.FieldChecks 21:20:11,982 INFO [ValidatorResources] Add ValidatorAction: range,org.apache.struts.validator.FieldChecks 21:20:11,992 INFO [ValidatorResources] Add ValidatorAction: intRange,org.apache.struts.validator.FieldChecks 21:20:11,992 INFO [ValidatorResources] Add ValidatorAction: floatRange,org.apache.struts.validator.FieldChecks 21:20:12,002 INFO [ValidatorResources] Add ValidatorAction: creditCard,org.apache.struts.validator.FieldChecks 21:20:12,042 INFO [ValidatorResources] Add ValidatorAction: email,org.apache.struts.validator.FieldChecks 21:20:12,052 INFO [ValidatorPlugIn] Loading validation rules file from '/WEB-INF/validation.xml' -Original Message- From: Sean Radford [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 6:27 PM To: Struts Users Mailing List Subject: RE: Login Form Just need to include the relevant JBoss jar(s) on your classpath in JBuilder... For JBoss 4 it is simply jboss.jar (found in JBOSS_HOME/server/CONFIG/lib) :-) Sean -- Dr. Sean Radford, MBBS, MSc <[EMAIL PROTECTED]> http://bladesys.demon.co.uk/ Blade Systems On Thu, 2003-07-10 at 17:59, Erez Efrati wrote: > Sean, > > I have tried out the SecurityFilter web examples and they are working > just fine. > I have started to integrate it into my project, but I am getting > compilation errors on the JBossRealmAdapter.java. > It can't seem to find AuthenticationManager, RealmManager, > SubjectSecurityManager. Just for some background info: > I am using JBuilder 8.0EE and I am using the JBoss 3.0.7 , Does that > have anything to do with the compilation errors? Do I need a later > version of JBoss? > > Thanks, > Erez > > -Original Message- > From: Erez Efrati [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 10, 2003 4:44 PM > To: 'Struts Users Mailing List' > Subject: RE: Login Form > > Thanks a lot Sean, I will try it and let you know how it works. > > Thanks for your great help, > Erez > > > -Original Message- > From: Sean Radford [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 10, 2003 12:28 PM > To: Struts Users Mailing List > Subject: RE: Login Form > > Erez, > > Things you need to do: > > 1. Get your EJB's installed and working with your JAAS plugin (or one of > the supplied JBoss ones). So standard J2EE settings in ejb-jar.xml, and > a standard jboss.xml (your security-domain in particular). > > 2. Create your web app as per the security filter instructions. That > means moving the security defintions that are normally in web.xml to the > securityfilter-config.xml file, and defining the Filter in web.xml. And > in jboss-web.xml you need to define the security-domain. Then you just > need to specify 'my' class as the realm in the > securityfilter-config.xml: > > > > Hope that helps, > > Sean - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Form
Just need to include the relevant JBoss jar(s) on your classpath in JBuilder... For JBoss 4 it is simply jboss.jar (found in JBOSS_HOME/server/CONFIG/lib) :-) Sean -- Dr. Sean Radford, MBBS, MSc <[EMAIL PROTECTED]> http://bladesys.demon.co.uk/ Blade Systems On Thu, 2003-07-10 at 17:59, Erez Efrati wrote: > Sean, > > I have tried out the SecurityFilter web examples and they are working > just fine. > I have started to integrate it into my project, but I am getting > compilation errors on the JBossRealmAdapter.java. > It can't seem to find AuthenticationManager, RealmManager, > SubjectSecurityManager. Just for some background info: > I am using JBuilder 8.0EE and I am using the JBoss 3.0.7 , Does that > have anything to do with the compilation errors? Do I need a later > version of JBoss? > > Thanks, > Erez > > -Original Message- > From: Erez Efrati [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 10, 2003 4:44 PM > To: 'Struts Users Mailing List' > Subject: RE: Login Form > > Thanks a lot Sean, I will try it and let you know how it works. > > Thanks for your great help, > Erez > > > -Original Message- > From: Sean Radford [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 10, 2003 12:28 PM > To: Struts Users Mailing List > Subject: RE: Login Form > > Erez, > > Things you need to do: > > 1. Get your EJB's installed and working with your JAAS plugin (or one of > the supplied JBoss ones). So standard J2EE settings in ejb-jar.xml, and > a standard jboss.xml (your security-domain in particular). > > 2. Create your web app as per the security filter instructions. That > means moving the security defintions that are normally in web.xml to the > securityfilter-config.xml file, and defining the Filter in web.xml. And > in jboss-web.xml you need to define the security-domain. Then you just > need to specify 'my' class as the realm in the > securityfilter-config.xml: > > > > Hope that helps, > > Sean - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Form
Sean, I have tried out the SecurityFilter web examples and they are working just fine. I have started to integrate it into my project, but I am getting compilation errors on the JBossRealmAdapter.java. It can't seem to find AuthenticationManager, RealmManager, SubjectSecurityManager. Just for some background info: I am using JBuilder 8.0EE and I am using the JBoss 3.0.7 , Does that have anything to do with the compilation errors? Do I need a later version of JBoss? Thanks, Erez -Original Message- From: Erez Efrati [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 4:44 PM To: 'Struts Users Mailing List' Subject: RE: Login Form Thanks a lot Sean, I will try it and let you know how it works. Thanks for your great help, Erez -Original Message- From: Sean Radford [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 12:28 PM To: Struts Users Mailing List Subject: RE: Login Form Erez, Things you need to do: 1. Get your EJB's installed and working with your JAAS plugin (or one of the supplied JBoss ones). So standard J2EE settings in ejb-jar.xml, and a standard jboss.xml (your security-domain in particular). 2. Create your web app as per the security filter instructions. That means moving the security defintions that are normally in web.xml to the securityfilter-config.xml file, and defining the Filter in web.xml. And in jboss-web.xml you need to define the security-domain. Then you just need to specify 'my' class as the realm in the securityfilter-config.xml: Hope that helps, Sean -- Dr. Sean Radford, MBBS, MSc <[EMAIL PROTECTED]> http://bladesys.demon.co.uk/ Blade Systems On Thu, 2003-07-10 at 12:01, Erez Efrati wrote: > Sean, > > Thanks for the code. I have downloaded everything and I am about to > start playing with it. But from reading still, I am a bit confused here. > > Is this code + SecurityFilter replaces the container security > configuration of JBoss/Tomcat in ejb-jar.xml, web.xml, jboss.xml, > jboss-web.xml ? > > Thanks, > Erez > > -Original Message- > From: Sean Radford [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 10, 2003 11:26 AM > To: Struts Users Mailing List > Subject: RE: Login Form > > All, > > Please find attached my securityfilter realm adaptor. The other code I > was waiting for hasn't materialised, so I couldn't do any comparison - > but it seems to work for me... Good luck, and any probs just shout. > > And nope, I have know idea if the extra functionality is to be resolved > in the near future within an updated container specification. Any one > know how we could 'force' the issue? > > Regards, > > Sean - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Form
Thanks a lot Sean, I will try it and let you know how it works. Thanks for your great help, Erez -Original Message- From: Sean Radford [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 12:28 PM To: Struts Users Mailing List Subject: RE: Login Form Erez, Things you need to do: 1. Get your EJB's installed and working with your JAAS plugin (or one of the supplied JBoss ones). So standard J2EE settings in ejb-jar.xml, and a standard jboss.xml (your security-domain in particular). 2. Create your web app as per the security filter instructions. That means moving the security defintions that are normally in web.xml to the securityfilter-config.xml file, and defining the Filter in web.xml. And in jboss-web.xml you need to define the security-domain. Then you just need to specify 'my' class as the realm in the securityfilter-config.xml: Hope that helps, Sean -- Dr. Sean Radford, MBBS, MSc <[EMAIL PROTECTED]> http://bladesys.demon.co.uk/ Blade Systems On Thu, 2003-07-10 at 12:01, Erez Efrati wrote: > Sean, > > Thanks for the code. I have downloaded everything and I am about to > start playing with it. But from reading still, I am a bit confused here. > > Is this code + SecurityFilter replaces the container security > configuration of JBoss/Tomcat in ejb-jar.xml, web.xml, jboss.xml, > jboss-web.xml ? > > Thanks, > Erez > > -Original Message- > From: Sean Radford [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 10, 2003 11:26 AM > To: Struts Users Mailing List > Subject: RE: Login Form > > All, > > Please find attached my securityfilter realm adaptor. The other code I > was waiting for hasn't materialised, so I couldn't do any comparison - > but it seems to work for me... Good luck, and any probs just shout. > > And nope, I have know idea if the extra functionality is to be resolved > in the near future within an updated container specification. Any one > know how we could 'force' the issue? > > Regards, > > Sean - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Form
Erez, Things you need to do: 1. Get your EJB's installed and working with your JAAS plugin (or one of the supplied JBoss ones). So standard J2EE settings in ejb-jar.xml, and a standard jboss.xml (your security-domain in particular). 2. Create your web app as per the security filter instructions. That means moving the security defintions that are normally in web.xml to the securityfilter-config.xml file, and defining the Filter in web.xml. And in jboss-web.xml you need to define the security-domain. Then you just need to specify 'my' class as the realm in the securityfilter-config.xml: Hope that helps, Sean -- Dr. Sean Radford, MBBS, MSc <[EMAIL PROTECTED]> http://bladesys.demon.co.uk/ Blade Systems On Thu, 2003-07-10 at 12:01, Erez Efrati wrote: > Sean, > > Thanks for the code. I have downloaded everything and I am about to > start playing with it. But from reading still, I am a bit confused here. > > Is this code + SecurityFilter replaces the container security > configuration of JBoss/Tomcat in ejb-jar.xml, web.xml, jboss.xml, > jboss-web.xml ? > > Thanks, > Erez > > -Original Message- > From: Sean Radford [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 10, 2003 11:26 AM > To: Struts Users Mailing List > Subject: RE: Login Form > > All, > > Please find attached my securityfilter realm adaptor. The other code I > was waiting for hasn't materialised, so I couldn't do any comparison - > but it seems to work for me... Good luck, and any probs just shout. > > And nope, I have know idea if the extra functionality is to be resolved > in the near future within an updated container specification. Any one > know how we could 'force' the issue? > > Regards, > > Sean - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Form
Sean, Thanks for the code. I have downloaded everything and I am about to start playing with it. But from reading still, I am a bit confused here. Is this code + SecurityFilter replaces the container security configuration of JBoss/Tomcat in ejb-jar.xml, web.xml, jboss.xml, jboss-web.xml ? Thanks, Erez -Original Message- From: Sean Radford [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 11:26 AM To: Struts Users Mailing List Subject: RE: Login Form All, Please find attached my securityfilter realm adaptor. The other code I was waiting for hasn't materialised, so I couldn't do any comparison - but it seems to work for me... Good luck, and any probs just shout. And nope, I have know idea if the extra functionality is to be resolved in the near future within an updated container specification. Any one know how we could 'force' the issue? Regards, Sean -- Dr. Sean Radford, MBBS, MSc <[EMAIL PROTECTED]> http://bladesys.demon.co.uk/ Blade Systems On Wed, 2003-07-09 at 15:33, Erez Efrati wrote: > Sean, > > many thanks for keeping up with my questions - appreciate it. And yes > you are correct. I am using JBoss 3.0.7 / Tomcat 4.1.24. By the way have > you got any idea if this issue is about to be resolved at the Servlet > Container Spec ? > > Thanks, > Erez > > > > -Original Message- > From: Sean Radford [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 09, 2003 11:19 AM > To: Struts Users Mailing List > Subject: RE: Login Form > > On Tue, 2003-07-08 at 20:34, Erez Efrati wrote: > > Thanks Sean, > > > > I looked at it and it does avoid the BIG limitation posed by the > > standard spec in fact. Still I cannot use it since it disables the > > passing of the principal identity through calls to EJB methods. > > > That's what it says in the introductory documentation, but... > > You're using JBoss/Tomcat right? Well give me a day and I'll email you a > class that should do all you want... It's a RealmAdaptor for > securityfilter/Jboss that uses the JBoss security extension and so > correctly instantiates the Principal for the EJB layer. It works for me > with JBoss4/Jetty, so you should give it a try. (I'm waiting on some > code from another guy whose done similar and so just want to compare - > if his stuff doesn't arrive shortly, I'll send mine as it) > > > > Now, I am new to the web development and it amazes me that such a > basic > > feature is missing from the Servlet spec and is not addressed. Why is > it > > that way? Is it so unusual to want to have the login fields on the > start > > page?? > > Not unusual at all... And many Java sites have it that way, but they > don't necessarily use container authentication and they probably don't > use EJB's (many people steer clear - deep seated reservations from 1.0 > are still abound). > > If I get time I'm going to try and get the Jetty guys to 'surface' their > web Authenticators to allow developers to roll their own... I've looked > at the code and shouldn't be too difficult - one or two areas I'm not > sure about, but... > > > > > > Thanks, > > Erez > > > > > > -Original Message- > > From: Sean Radford [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, July 08, 2003 8:21 PM > > To: Struts Users Mailing List > > Subject: RE: Login Form > > > > Have a look at this (you may find what you want): > > > > http://sourceforge.net/projects/securityfilter/ > > > > Sean > > > > > > > -Original Message- > > > From: Erez Efrati [mailto:[EMAIL PROTECTED] > > > Sent: July 8, 2003 10:11 AM > > > To: 'Struts Users Mailing List' > > > Subject: Login Form > > > > > > > > > Hi, > > > > > > My question is a bit off Struts but still since I am using Struts > and > > > it's too urgent for me I thought to try my luck here, maybe someone > > had > > > stumbled on this issue too. > > > > > > I am running JBoss/Tomcat/Struts using the JAAS for handling the > > > application security aspects. I have used the > > > FORM clauses inside the Web.xml file. > > > > > > In my web site I want to have the site home page to have also a > small > > > login form where the user could enter username and password and > login > > to > > > the site. The home page, contains other links as well, which lead to > > > other parts of the site or even to external pages on other sites. > > > > &
RE: Login Form
All, Please find attached my securityfilter realm adaptor. The other code I was waiting for hasn't materialised, so I couldn't do any comparison - but it seems to work for me... Good luck, and any probs just shout. And nope, I have know idea if the extra functionality is to be resolved in the near future within an updated container specification. Any one know how we could 'force' the issue? Regards, Sean -- Dr. Sean Radford, MBBS, MSc <[EMAIL PROTECTED]> http://bladesys.demon.co.uk/ Blade Systems On Wed, 2003-07-09 at 15:33, Erez Efrati wrote: > Sean, > > many thanks for keeping up with my questions - appreciate it. And yes > you are correct. I am using JBoss 3.0.7 / Tomcat 4.1.24. By the way have > you got any idea if this issue is about to be resolved at the Servlet > Container Spec ? > > Thanks, > Erez > > > > -Original Message- > From: Sean Radford [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 09, 2003 11:19 AM > To: Struts Users Mailing List > Subject: RE: Login Form > > On Tue, 2003-07-08 at 20:34, Erez Efrati wrote: > > Thanks Sean, > > > > I looked at it and it does avoid the BIG limitation posed by the > > standard spec in fact. Still I cannot use it since it disables the > > passing of the principal identity through calls to EJB methods. > > > That's what it says in the introductory documentation, but... > > You're using JBoss/Tomcat right? Well give me a day and I'll email you a > class that should do all you want... It's a RealmAdaptor for > securityfilter/Jboss that uses the JBoss security extension and so > correctly instantiates the Principal for the EJB layer. It works for me > with JBoss4/Jetty, so you should give it a try. (I'm waiting on some > code from another guy whose done similar and so just want to compare - > if his stuff doesn't arrive shortly, I'll send mine as it) > > > > Now, I am new to the web development and it amazes me that such a > basic > > feature is missing from the Servlet spec and is not addressed. Why is > it > > that way? Is it so unusual to want to have the login fields on the > start > > page?? > > Not unusual at all... And many Java sites have it that way, but they > don't necessarily use container authentication and they probably don't > use EJB's (many people steer clear - deep seated reservations from 1.0 > are still abound). > > If I get time I'm going to try and get the Jetty guys to 'surface' their > web Authenticators to allow developers to roll their own... I've looked > at the code and shouldn't be too difficult - one or two areas I'm not > sure about, but... > > > > > > Thanks, > > Erez > > > > > > -Original Message- > > From: Sean Radford [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, July 08, 2003 8:21 PM > > To: Struts Users Mailing List > > Subject: RE: Login Form > > > > Have a look at this (you may find what you want): > > > > http://sourceforge.net/projects/securityfilter/ > > > > Sean > > > > > > > -Original Message- > > > From: Erez Efrati [mailto:[EMAIL PROTECTED] > > > Sent: July 8, 2003 10:11 AM > > > To: 'Struts Users Mailing List' > > > Subject: Login Form > > > > > > > > > Hi, > > > > > > My question is a bit off Struts but still since I am using Struts > and > > > it's too urgent for me I thought to try my luck here, maybe someone > > had > > > stumbled on this issue too. > > > > > > I am running JBoss/Tomcat/Struts using the JAAS for handling the > > > application security aspects. I have used the > > > FORM clauses inside the Web.xml file. > > > > > > In my web site I want to have the site home page to have also a > small > > > login form where the user could enter username and password and > login > > to > > > the site. The home page, contains other links as well, which lead to > > > other parts of the site or even to external pages on other sites. > > > > > > >From what I've read so far, it seems to me that the FORM method is > > > activated only when the web user tries to access a protected page. > > Then > > > the Web Server (Tomcat in my case) returns the loginPage stated in > the > > > Web.xml file, and only after the login is performed > (j_security_check) > > > the Tomcat then redirects the web user to the original portected > page. > > > > >
RE: Login Form
Sean, many thanks for keeping up with my questions - appreciate it. And yes you are correct. I am using JBoss 3.0.7 / Tomcat 4.1.24. By the way have you got any idea if this issue is about to be resolved at the Servlet Container Spec ? Thanks, Erez -Original Message- From: Sean Radford [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 09, 2003 11:19 AM To: Struts Users Mailing List Subject: RE: Login Form On Tue, 2003-07-08 at 20:34, Erez Efrati wrote: > Thanks Sean, > > I looked at it and it does avoid the BIG limitation posed by the > standard spec in fact. Still I cannot use it since it disables the > passing of the principal identity through calls to EJB methods. > That's what it says in the introductory documentation, but... You're using JBoss/Tomcat right? Well give me a day and I'll email you a class that should do all you want... It's a RealmAdaptor for securityfilter/Jboss that uses the JBoss security extension and so correctly instantiates the Principal for the EJB layer. It works for me with JBoss4/Jetty, so you should give it a try. (I'm waiting on some code from another guy whose done similar and so just want to compare - if his stuff doesn't arrive shortly, I'll send mine as it) > Now, I am new to the web development and it amazes me that such a basic > feature is missing from the Servlet spec and is not addressed. Why is it > that way? Is it so unusual to want to have the login fields on the start > page?? Not unusual at all... And many Java sites have it that way, but they don't necessarily use container authentication and they probably don't use EJB's (many people steer clear - deep seated reservations from 1.0 are still abound). If I get time I'm going to try and get the Jetty guys to 'surface' their web Authenticators to allow developers to roll their own... I've looked at the code and shouldn't be too difficult - one or two areas I'm not sure about, but... > > Thanks, > Erez > > > -Original Message- > From: Sean Radford [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 08, 2003 8:21 PM > To: Struts Users Mailing List > Subject: RE: Login Form > > Have a look at this (you may find what you want): > > http://sourceforge.net/projects/securityfilter/ > > Sean > > > > -Original Message- > > From: Erez Efrati [mailto:[EMAIL PROTECTED] > > Sent: July 8, 2003 10:11 AM > > To: 'Struts Users Mailing List' > > Subject: Login Form > > > > > > Hi, > > > > My question is a bit off Struts but still since I am using Struts and > > it's too urgent for me I thought to try my luck here, maybe someone > had > > stumbled on this issue too. > > > > I am running JBoss/Tomcat/Struts using the JAAS for handling the > > application security aspects. I have used the > > FORM clauses inside the Web.xml file. > > > > In my web site I want to have the site home page to have also a small > > login form where the user could enter username and password and login > to > > the site. The home page, contains other links as well, which lead to > > other parts of the site or even to external pages on other sites. > > > > >From what I've read so far, it seems to me that the FORM method is > > activated only when the web user tries to access a protected page. > Then > > the Web Server (Tomcat in my case) returns the loginPage stated in the > > Web.xml file, and only after the login is performed (j_security_check) > > the Tomcat then redirects the web user to the original portected page. > > > > Is it possible to have the site home page as the login page still > using > > mechanisms of FORM and JAAS? If so I would really appreciate any help > on > > how to do it, and what are the configurations required. > > > > Thanks, > > Erez > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] -- Dr. Sean Radford, MBBS, MSc <[EMAIL PROTECTED]> http://bladesys.demon.co.uk/ Blade Systems - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Form
On Tue, 2003-07-08 at 20:34, Erez Efrati wrote: > Thanks Sean, > > I looked at it and it does avoid the BIG limitation posed by the > standard spec in fact. Still I cannot use it since it disables the > passing of the principal identity through calls to EJB methods. > That's what it says in the introductory documentation, but... You're using JBoss/Tomcat right? Well give me a day and I'll email you a class that should do all you want... It's a RealmAdaptor for securityfilter/Jboss that uses the JBoss security extension and so correctly instantiates the Principal for the EJB layer. It works for me with JBoss4/Jetty, so you should give it a try. (I'm waiting on some code from another guy whose done similar and so just want to compare - if his stuff doesn't arrive shortly, I'll send mine as it) > Now, I am new to the web development and it amazes me that such a basic > feature is missing from the Servlet spec and is not addressed. Why is it > that way? Is it so unusual to want to have the login fields on the start > page?? Not unusual at all... And many Java sites have it that way, but they don't necessarily use container authentication and they probably don't use EJB's (many people steer clear - deep seated reservations from 1.0 are still abound). If I get time I'm going to try and get the Jetty guys to 'surface' their web Authenticators to allow developers to roll their own... I've looked at the code and shouldn't be too difficult - one or two areas I'm not sure about, but... > > Thanks, > Erez > > > -Original Message- > From: Sean Radford [mailto:[EMAIL PROTECTED] > Sent: Tuesday, July 08, 2003 8:21 PM > To: Struts Users Mailing List > Subject: RE: Login Form > > Have a look at this (you may find what you want): > > http://sourceforge.net/projects/securityfilter/ > > Sean > > > > -Original Message- > > From: Erez Efrati [mailto:[EMAIL PROTECTED] > > Sent: July 8, 2003 10:11 AM > > To: 'Struts Users Mailing List' > > Subject: Login Form > > > > > > Hi, > > > > My question is a bit off Struts but still since I am using Struts and > > it's too urgent for me I thought to try my luck here, maybe someone > had > > stumbled on this issue too. > > > > I am running JBoss/Tomcat/Struts using the JAAS for handling the > > application security aspects. I have used the > > FORM clauses inside the Web.xml file. > > > > In my web site I want to have the site home page to have also a small > > login form where the user could enter username and password and login > to > > the site. The home page, contains other links as well, which lead to > > other parts of the site or even to external pages on other sites. > > > > >From what I've read so far, it seems to me that the FORM method is > > activated only when the web user tries to access a protected page. > Then > > the Web Server (Tomcat in my case) returns the loginPage stated in the > > Web.xml file, and only after the login is performed (j_security_check) > > the Tomcat then redirects the web user to the original portected page. > > > > Is it possible to have the site home page as the login page still > using > > mechanisms of FORM and JAAS? If so I would really appreciate any help > on > > how to do it, and what are the configurations required. > > > > Thanks, > > Erez > > > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > - > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] -- Dr. Sean Radford, MBBS, MSc <[EMAIL PROTECTED]> http://bladesys.demon.co.uk/ Blade Systems - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Form
Thanks Sean, I looked at it and it does avoid the BIG limitation posed by the standard spec in fact. Still I cannot use it since it disables the passing of the principal identity through calls to EJB methods. Now, I am new to the web development and it amazes me that such a basic feature is missing from the Servlet spec and is not addressed. Why is it that way? Is it so unusual to want to have the login fields on the start page?? Thanks, Erez -Original Message- From: Sean Radford [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 8:21 PM To: Struts Users Mailing List Subject: RE: Login Form Have a look at this (you may find what you want): http://sourceforge.net/projects/securityfilter/ Sean > -Original Message- > From: Erez Efrati [mailto:[EMAIL PROTECTED] > Sent: July 8, 2003 10:11 AM > To: 'Struts Users Mailing List' > Subject: Login Form > > > Hi, > > My question is a bit off Struts but still since I am using Struts and > it's too urgent for me I thought to try my luck here, maybe someone had > stumbled on this issue too. > > I am running JBoss/Tomcat/Struts using the JAAS for handling the > application security aspects. I have used the > FORM clauses inside the Web.xml file. > > In my web site I want to have the site home page to have also a small > login form where the user could enter username and password and login to > the site. The home page, contains other links as well, which lead to > other parts of the site or even to external pages on other sites. > > >From what I've read so far, it seems to me that the FORM method is > activated only when the web user tries to access a protected page. Then > the Web Server (Tomcat in my case) returns the loginPage stated in the > Web.xml file, and only after the login is performed (j_security_check) > the Tomcat then redirects the web user to the original portected page. > > Is it possible to have the site home page as the login page still using > mechanisms of FORM and JAAS? If so I would really appreciate any help on > how to do it, and what are the configurations required. > > Thanks, > Erez > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- Dr. Sean Radford, MBBS, MSc <[EMAIL PROTECTED]> http://bladesys.demon.co.uk/ Blade Systems - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Form
Have a look at this (you may find what you want): http://sourceforge.net/projects/securityfilter/ Sean > -Original Message- > From: Erez Efrati [mailto:[EMAIL PROTECTED] > Sent: July 8, 2003 10:11 AM > To: 'Struts Users Mailing List' > Subject: Login Form > > > Hi, > > My question is a bit off Struts but still since I am using Struts and > it's too urgent for me I thought to try my luck here, maybe someone had > stumbled on this issue too. > > I am running JBoss/Tomcat/Struts using the JAAS for handling the > application security aspects. I have used the > FORM clauses inside the Web.xml file. > > In my web site I want to have the site home page to have also a small > login form where the user could enter username and password and login to > the site. The home page, contains other links as well, which lead to > other parts of the site or even to external pages on other sites. > > >From what I've read so far, it seems to me that the FORM method is > activated only when the web user tries to access a protected page. Then > the Web Server (Tomcat in my case) returns the loginPage stated in the > Web.xml file, and only after the login is performed (j_security_check) > the Tomcat then redirects the web user to the original portected page. > > Is it possible to have the site home page as the login page still using > mechanisms of FORM and JAAS? If so I would really appreciate any help on > how to do it, and what are the configurations required. > > Thanks, > Erez > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- Dr. Sean Radford, MBBS, MSc <[EMAIL PROTECTED]> http://bladesys.demon.co.uk/ Blade Systems - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Form
On Tue, 8 Jul 2003, Erez Efrati wrote: > Date: Tue, 08 Jul 2003 19:03:17 +0200 > From: Erez Efrati <[EMAIL PROTECTED]> > Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]> > To: 'Struts Users Mailing List' <[EMAIL PROTECTED]> > Subject: RE: Login Form > > Yansheng Lin, I didn't understand, sorry. > > All I want to do is enable the users to login into my site from the > starting page of the web site. > > Is it possible to post the a form action='j_security_check'? No. If you really need programmatic login, you will want to look at "roll your own" security mechanisms instead of container managed security. > I mean before accessing a protected page which the Tomcat protects and > sends me the my login page. One approach would be to provide a login button (instead of a login form) that goes to a protected resource (triggering the login), and then have the protected resource forward or redirect back to your main menu. > I want to note here that I am using the > JAAS. > If you're using Tomcat's JAASRealm (or something like it) for this, this fact won't make any difference. > Thanks, > Erez Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Form
Here is the link: http://www.mail-archive.com/[EMAIL PROTECTED]/msg14215.html - Oh I thought you had trouble accessing a protected login page from a non-secure page. Is this what you want to do in your main page? User ID: Password: And your problem is that you don't have control over 'my_security_check' does in JAAS. I found an archive mail on this newsgroup, maybe what you want. Sorry I don't know much about the api in JAAS. -Original Message- From: Erez Efrati [mailto:[EMAIL PROTECTED] Sent: July 8, 2003 11:03 AM To: 'Struts Users Mailing List' Subject: RE: Login Form Yansheng Lin, I didn't understand, sorry. All I want to do is enable the users to login into my site from the starting page of the web site. Is it possible to post the a form action='j_security_check'? I mean before accessing a protected page which the Tomcat protects and sends me the my login page. I want to note here that I am using the JAAS. Thanks, Erez -Original Message- From: Yansheng Lin [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 5:47 PM To: 'Struts Users Mailing List' Subject: RE: Login Form Not sure if I understand it entirely. But you can use an iframe for the login form(protected page) on the site home page. Something like: Hope this helps. -Original Message- From: Erez Efrati [mailto:[EMAIL PROTECTED] Sent: July 8, 2003 10:11 AM To: 'Struts Users Mailing List' Subject: Login Form Hi, My question is a bit off Struts but still since I am using Struts and it's too urgent for me I thought to try my luck here, maybe someone had stumbled on this issue too. I am running JBoss/Tomcat/Struts using the JAAS for handling the application security aspects. I have used the FORM clauses inside the Web.xml file. In my web site I want to have the site home page to have also a small login form where the user could enter username and password and login to the site. The home page, contains other links as well, which lead to other parts of the site or even to external pages on other sites. >From what I've read so far, it seems to me that the FORM method is activated only when the web user tries to access a protected page. Then the Web Server (Tomcat in my case) returns the loginPage stated in the Web.xml file, and only after the login is performed (j_security_check) the Tomcat then redirects the web user to the original portected page. Is it possible to have the site home page as the login page still using mechanisms of FORM and JAAS? If so I would really appreciate any help on how to do it, and what are the configurations required. Thanks, Erez - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Form
Oh I thought you had trouble accessing a protected login page from a non-secure page. Is this what you want to do in your main page? User ID: Password: And your problem is that you don't have control over 'my_security_check' does in JAAS. I found an archive mail on this newsgroup, maybe what you want. Sorry I don't know much about the api in JAAS. -Original Message- From: Erez Efrati [mailto:[EMAIL PROTECTED] Sent: July 8, 2003 11:03 AM To: 'Struts Users Mailing List' Subject: RE: Login Form Yansheng Lin, I didn't understand, sorry. All I want to do is enable the users to login into my site from the starting page of the web site. Is it possible to post the a form action='j_security_check'? I mean before accessing a protected page which the Tomcat protects and sends me the my login page. I want to note here that I am using the JAAS. Thanks, Erez -Original Message- From: Yansheng Lin [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 5:47 PM To: 'Struts Users Mailing List' Subject: RE: Login Form Not sure if I understand it entirely. But you can use an iframe for the login form(protected page) on the site home page. Something like: Hope this helps. -Original Message- From: Erez Efrati [mailto:[EMAIL PROTECTED] Sent: July 8, 2003 10:11 AM To: 'Struts Users Mailing List' Subject: Login Form Hi, My question is a bit off Struts but still since I am using Struts and it's too urgent for me I thought to try my luck here, maybe someone had stumbled on this issue too. I am running JBoss/Tomcat/Struts using the JAAS for handling the application security aspects. I have used the FORM clauses inside the Web.xml file. In my web site I want to have the site home page to have also a small login form where the user could enter username and password and login to the site. The home page, contains other links as well, which lead to other parts of the site or even to external pages on other sites. >From what I've read so far, it seems to me that the FORM method is activated only when the web user tries to access a protected page. Then the Web Server (Tomcat in my case) returns the loginPage stated in the Web.xml file, and only after the login is performed (j_security_check) the Tomcat then redirects the web user to the original portected page. Is it possible to have the site home page as the login page still using mechanisms of FORM and JAAS? If so I would really appreciate any help on how to do it, and what are the configurations required. Thanks, Erez - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Form
Yansheng Lin, I didn't understand, sorry. All I want to do is enable the users to login into my site from the starting page of the web site. Is it possible to post the a form action='j_security_check'? I mean before accessing a protected page which the Tomcat protects and sends me the my login page. I want to note here that I am using the JAAS. Thanks, Erez -Original Message- From: Yansheng Lin [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 5:47 PM To: 'Struts Users Mailing List' Subject: RE: Login Form Not sure if I understand it entirely. But you can use an iframe for the login form(protected page) on the site home page. Something like: Hope this helps. -Original Message- From: Erez Efrati [mailto:[EMAIL PROTECTED] Sent: July 8, 2003 10:11 AM To: 'Struts Users Mailing List' Subject: Login Form Hi, My question is a bit off Struts but still since I am using Struts and it's too urgent for me I thought to try my luck here, maybe someone had stumbled on this issue too. I am running JBoss/Tomcat/Struts using the JAAS for handling the application security aspects. I have used the FORM clauses inside the Web.xml file. In my web site I want to have the site home page to have also a small login form where the user could enter username and password and login to the site. The home page, contains other links as well, which lead to other parts of the site or even to external pages on other sites. >From what I've read so far, it seems to me that the FORM method is activated only when the web user tries to access a protected page. Then the Web Server (Tomcat in my case) returns the loginPage stated in the Web.xml file, and only after the login is performed (j_security_check) the Tomcat then redirects the web user to the original portected page. Is it possible to have the site home page as the login page still using mechanisms of FORM and JAAS? If so I would really appreciate any help on how to do it, and what are the configurations required. Thanks, Erez - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login Form
Not sure if I understand it entirely. But you can use an iframe for the login form(protected page) on the site home page. Something like: Hope this helps. -Original Message- From: Erez Efrati [mailto:[EMAIL PROTECTED] Sent: July 8, 2003 10:11 AM To: 'Struts Users Mailing List' Subject: Login Form Hi, My question is a bit off Struts but still since I am using Struts and it's too urgent for me I thought to try my luck here, maybe someone had stumbled on this issue too. I am running JBoss/Tomcat/Struts using the JAAS for handling the application security aspects. I have used the FORM clauses inside the Web.xml file. In my web site I want to have the site home page to have also a small login form where the user could enter username and password and login to the site. The home page, contains other links as well, which lead to other parts of the site or even to external pages on other sites. >From what I've read so far, it seems to me that the FORM method is activated only when the web user tries to access a protected page. Then the Web Server (Tomcat in my case) returns the loginPage stated in the Web.xml file, and only after the login is performed (j_security_check) the Tomcat then redirects the web user to the original portected page. Is it possible to have the site home page as the login page still using mechanisms of FORM and JAAS? If so I would really appreciate any help on how to do it, and what are the configurations required. Thanks, Erez - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Login Form
Hi, My question is a bit off Struts but still since I am using Struts and it's too urgent for me I thought to try my luck here, maybe someone had stumbled on this issue too. I am running JBoss/Tomcat/Struts using the JAAS for handling the application security aspects. I have used the FORM clauses inside the Web.xml file. In my web site I want to have the site home page to have also a small login form where the user could enter username and password and login to the site. The home page, contains other links as well, which lead to other parts of the site or even to external pages on other sites. >From what I've read so far, it seems to me that the FORM method is activated only when the web user tries to access a protected page. Then the Web Server (Tomcat in my case) returns the loginPage stated in the Web.xml file, and only after the login is performed (j_security_check) the Tomcat then redirects the web user to the original portected page. Is it possible to have the site home page as the login page still using mechanisms of FORM and JAAS? If so I would really appreciate any help on how to do it, and what are the configurations required. Thanks, Erez - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Login and security checks
if role check fails, Struts sets HttpResponse code 400 (Bad Request) -D - Original Message - From: "Adam Hardy" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Saturday, June 14, 2003 2:44 AM Subject: Re: Login and security checks > What happens if you don't put a security constraint in the web.xml, but > instead just specify a role in action in struts-config.xml? > > Adam > > Erik Price wrote: > > You can limit the resources that are protected by container managed > > authentication in the deployment descriptor. Whichever Action requires > > authentication, just make sure that you've specified it as requiring > > such in the web.xml. > > > > > > Erik > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Login and security checks
What happens if you don't put a security constraint in the web.xml, but instead just specify a role in action in struts-config.xml? Adam Erik Price wrote: You can limit the resources that are protected by container managed authentication in the deployment descriptor. Whichever Action requires authentication, just make sure that you've specified it as requiring such in the web.xml. Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login and security checks
Thanks for the replies Shunhui, Erik, Tero, and Chris. Very helpful suggestions. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 13, 2003 2:59 PM To: [EMAIL PROTECTED] Subject: RE: Login and security checks Here's how I do it: use a servlet filter to handle login. Put all your secured (those requiring login) in a subfolder, and map the filter to that folder. In this way, the user can browse anywhere except when he/she comes to any page in the proteced folder, at that time he/she will be redirected to the login page. Shunhui -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 13, 2003 11:52 AM To: [EMAIL PROTECTED] Subject: Login and security checks I'm currently working on a web app which will be available publicly. In the past I've secured my webapp using Tomcat's form based security. This works fine if you require a user to log in as soon as the webapp is initiated (as is the case with most internal web apps). However, with my current webapp there is definitely a need for browsing before creating a user id. How can I organize my webapp so that some of the content is available to anybody, but other parts can only be done when the user logs in? This may also be tied into when to use http and when to use https. Any hints or links are welcome. Mike Witt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Login and security checks
[EMAIL PROTECTED] writes: > there is definitely a need for browsing before creating a user id. How can I > organize my webapp so that some of the content is available to anybody, but > other parts can only be done when the user logs in? This may also be tied > into when to use http and when to use https. Any hints or links are > welcome. http://securityfilter.sf.net/ cdh -- Chris D. Halverson http://www.halverson.org/ YIM/AIM: chrisdhal MSN: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Login and security checks
> How can I organize my webapp so that some of the > content is available to anybody, but other parts > can only be done when the user logs in? available to anybody: http://www.example.com/yourapp/public/* protected: http://www.example.com/yourapp/members/* -TPP - This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, retention, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. Also, email is susceptible to data corruption, interception, tampering, unauthorized amendment and viruses. We only send and receive emails on the basis that we are not liable for any such corruption, interception, tampering, amendment or viruses or any consequence thereof. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Login and security checks
[EMAIL PROTECTED] wrote: I'm currently working on a web app which will be available publicly. In the past I've secured my webapp using Tomcat's form based security. This works fine if you require a user to log in as soon as the webapp is initiated (as is the case with most internal web apps). However, with my current webapp there is definitely a need for browsing before creating a user id. How can I organize my webapp so that some of the content is available to anybody, but other parts can only be done when the user logs in? This may also be tied into when to use http and when to use https. Any hints or links are welcome. You can limit the resources that are protected by container managed authentication in the deployment descriptor. Whichever Action requires authentication, just make sure that you've specified it as requiring such in the web.xml. Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]