RE: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
you may wish to look upon JAAS if you have so many diff roles and user per roles. Anyway, struts lets you specify role atrribute (that takes comma sep values, i guess) for each action. If you can extend RequestProcess class and modify the processRoles() method so you can redirect to any page if the roles are not valid for that action. etc etc.. Struts,using decalrative roles, tried to make things easier in term sof less programming efforts and easiness to manage roles . Rest i can't see much diff. Any opinions? HTH Navjot Singh -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 7:26 AM To: Struts Users Mailing List Subject: RE: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
Caroline Jen wrote: But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. How authentication is performed (BASIC, form-based, DIGEST, or SSL client certificates) and how users are stored (database, directory server, local XML file, ...) are two separate questions. For most servers , any combination is possible. With Tomcat, for example, you can configure JDBCRealm to point at your user and role definitions in a database, and then use those users with any of the authentication methods. For more information, see: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html The choice between BASIC and form-based authentication, then, can be based on user interface related concerns, rather than worrying about a database. Craig --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
People answer questions without reading my original post. Therefore, I must re-type my original question again. Before I posted my question, I had configured the Tomcat JDBCRealm following the instructions at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html so that I can do security testing programmically, such as isUserInRole(), in my program. If I use form based authentication, I insert the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication (we provide login page and error page in the web.xml) does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? Thanks. --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. How authentication is performed (BASIC, form-based, DIGEST, or SSL client certificates) and how users are stored (database, directory server, local XML file, ...) are two separate questions. For most servers , any combination is possible. With Tomcat, for example, you can configure JDBCRealm to point at your user and role definitions in a database, and then use those users with any of the authentication methods. For more information, see: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html The choice between BASIC and form-based authentication, then, can be based on user interface related concerns, rather than worrying about a database. Craig --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands,
RE: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
Don't put anything in struts-config, in web.xml, put:
login-config
auth-methodFORM/auth-method
form-login-config
form-login-page/login.jsp/form-login-page
form-error-page/login.jsp?error=true/form-error-page
/form-login-config
/login-config
You can use whatever code you like in login.jsp, here's mine as an example:
%@ include file=/common/taglibs.jsp%
tiles:insert definition=.login flush=true/
So you can see it uses Tiles - here's my .login definition:
!-- Login Page definition --
definition name=.login extends=baseLayout
put name=titleKey value=login.title/
put name=headingKey value=login.heading/
put name=menu value=/menu.html/
put name=content value=/WEB-INF/pages/login.jsp/
/definition
Where /pages/login.jsp is:
%@ include file=/common/taglibs.jsp%
div id=loginTable
form method=post id=loginForm action=j_security_check
table width=100%
tr
td colspan=2
c:if test=${param.error != null}
div class=error
style=margin-right: 0; margin-bottom: 3px; margin-top:
3px
html:img pageKey=icon.warning.img
altKey=icon.warning styleClass=icon/
fmt:message key=errors.password.mismatch/
/div
/c:if
/td
/tr
tr
th
label for=j_username class=required
fmt:message key=label.username/*:
/label
/th
td
input type=text name=j_username id=j_username size=25
/
/td
/tr
tr
th
label for=j_password class=required
fmt:message key=label.password/*:
/label
/th
td
input type=password name=j_password id=j_password
size=20 /
/td
/tr
tr
td/td
td
input type=checkbox name=rememberMe id=rememberMe /
label for=rememberMefmt:message
key=login.rememberMe//a
!-- for Resin --
input type=hidden name=j_uri id=j_uri value= /
/td
/tr
tr
td/td
td
input type=submit name=login id=login value=Login /
input type=reset name=reset id=reset value=Reset
onclick=document.getElementById('j_username').focus() /
/td
/tr
tr
td/td
tdbr /fmt:message key=login.signup//td
/tr
/table
/form
/div
HTH,
Matt
-Original Message-
From: Caroline Jen [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 07, 2003 2:11 PM
To: Struts Users Mailing List
Subject: Re: Container-Managed Authentication login-config in web.xml
vs . Specifying Paths in the struts-config.xml
People answer questions without reading my original
post. Therefore, I must re-type my original question
again.
Before I posted my question, I had configured the
Tomcat JDBCRealm following the instructions at
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
so that I can do security testing programmically, such
as isUserInRole(), in my program.
If I use form based authentication, I insert the
login-config and its sub-elements in my web.xml file
(see below). As we know, the form-login-page and
form-error-page are required.
My question is that the container-managed
authentication (we provide login page and error page
in the web.xml) does not seem to be consistent with
what we usually do in struts; e.g. we state the
logical name and path for each .jsp page in the
struts-config.xml file.
What is the Struts convention in dealing with user
authentication? Should we specify the paths for the
logon page and error page in the struts.config.xml or
we should use the form-login-page and
form-error-page in the web.xml file?
Thanks.
--- Craig R. McClanahan [EMAIL PROTECTED] wrote:
Caroline Jen wrote:
But, I do not want to use BASIC authentication. I
have many different roles and hundreds of people
per
role. Users' name, role, etc. are stored in a
database.
How authentication is performed (BASIC, form-based,
DIGEST, or SSL
client certificates) and how users are stored
(database, directory
server, local XML file, ...) are two separate
questions. For most
servers , any combination is possible. With Tomcat,
for example, you
can configure JDBCRealm to point at your user and
role definitions in a
database, and then use those users with any of the
authentication
methods. For more information, see:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
The choice between BASIC and form-based
authentication, then, can be
based on user interface related concerns, rather
than worrying about a
database.
Craig
--- Matt Raible [EMAIL PROTECTED] wrote:
A JDBCRealm can use BASIC authentication - it
doesn't require form-based.
Here's an example app that might help you out:
http
Re: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
Logical paths work fine for me in web.xml (using tomcat 4.1.x): login-config auth-methodFORM/auth-method form-login-config form-login-page /do/login/edit /form-login-page form-error-page /do/login/fail /form-error-page /form-login-config /login-config Andrew At 03:11 PM 10/7/2003, you wrote: People answer questions without reading my original post. Therefore, I must re-type my original question again. Before I posted my question, I had configured the Tomcat JDBCRealm following the instructions at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html so that I can do security testing programmically, such as isUserInRole(), in my program. If I use form based authentication, I insert the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication (we provide login page and error page in the web.xml) does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? Thanks. --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. How authentication is performed (BASIC, form-based, DIGEST, or SSL client certificates) and how users are stored (database, directory server, local XML file, ...) are two separate questions. For most servers , any combination is possible. With Tomcat, for example, you can configure JDBCRealm to point at your user and role definitions in a database, and then use those users with any of the authentication methods. For more information, see: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html The choice between BASIC and form-based authentication, then, can be based on user interface related concerns, rather than worrying about a database. Craig --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
Thanks a lot, Andrew. I got the idea. --- Andrew Shirk [EMAIL PROTECTED] wrote: Logical paths work fine for me in web.xml (using tomcat 4.1.x): login-config auth-methodFORM/auth-method form-login-config form-login-page /do/login/edit /form-login-page form-error-page /do/login/fail /form-error-page /form-login-config /login-config Andrew At 03:11 PM 10/7/2003, you wrote: People answer questions without reading my original post. Therefore, I must re-type my original question again. Before I posted my question, I had configured the Tomcat JDBCRealm following the instructions at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html so that I can do security testing programmically, such as isUserInRole(), in my program. If I use form based authentication, I insert the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication (we provide login page and error page in the web.xml) does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? Thanks. --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. How authentication is performed (BASIC, form-based, DIGEST, or SSL client certificates) and how users are stored (database, directory server, local XML file, ...) are two separate questions. For most servers , any combination is possible. With Tomcat, for example, you can configure JDBCRealm to point at your user and role definitions in a database, and then use those users with any of the authentication methods. For more information, see: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html The choice between BASIC and form-based authentication, then, can be based on user interface related concerns, rather than worrying about a database. Craig --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page === message truncated === __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL
RE: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml
Hi Caroline, if I remember correctly, it is not possible to use Action servlet mappings for the login and error pages in tomcat. I do know for sure that it is recommended practice to keep those pages seperate programmatically and to view them as part of the container rather than part of your app. Check the archives for a few threads on that matter. Adam On 10/07/2003 12:44 AM Caroline Jen wrote: I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
