RE: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
you may wish to look upon JAAS if you have so many diff roles and user per roles. Anyway, struts lets you specify role atrribute (that takes comma sep values, i guess) for each action. If you can extend RequestProcess class and modify the processRoles() method so you can redirect to any page if the roles are not valid for that action. etc etc.. Struts,using decalrative roles, tried to make things easier in term sof less programming efforts and easiness to manage roles . Rest i can't see much diff. Any opinions? HTH Navjot Singh -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 7:26 AM To: Struts Users Mailing List Subject: RE: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
Caroline Jen wrote: But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. How authentication is performed (BASIC, form-based, DIGEST, or SSL client certificates) and how users are stored (database, directory server, local XML file, ...) are two separate questions. For most servers , any combination is possible. With Tomcat, for example, you can configure JDBCRealm to point at your user and role definitions in a database, and then use those users with any of the authentication methods. For more information, see: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html The choice between BASIC and form-based authentication, then, can be based on user interface related concerns, rather than worrying about a database. Craig --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
People answer questions without reading my original post. Therefore, I must re-type my original question again. Before I posted my question, I had configured the Tomcat JDBCRealm following the instructions at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html so that I can do security testing programmically, such as isUserInRole(), in my program. If I use form based authentication, I insert the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication (we provide login page and error page in the web.xml) does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? Thanks. --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. How authentication is performed (BASIC, form-based, DIGEST, or SSL client certificates) and how users are stored (database, directory server, local XML file, ...) are two separate questions. For most servers , any combination is possible. With Tomcat, for example, you can configure JDBCRealm to point at your user and role definitions in a database, and then use those users with any of the authentication methods. For more information, see: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html The choice between BASIC and form-based authentication, then, can be based on user interface related concerns, rather than worrying about a database. Craig --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands,
RE: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
Don't put anything in struts-config, in web.xml, put: login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login.jsp?error=true/form-error-page /form-login-config /login-config You can use whatever code you like in login.jsp, here's mine as an example: %@ include file=/common/taglibs.jsp% tiles:insert definition=.login flush=true/ So you can see it uses Tiles - here's my .login definition: !-- Login Page definition -- definition name=.login extends=baseLayout put name=titleKey value=login.title/ put name=headingKey value=login.heading/ put name=menu value=/menu.html/ put name=content value=/WEB-INF/pages/login.jsp/ /definition Where /pages/login.jsp is: %@ include file=/common/taglibs.jsp% div id=loginTable form method=post id=loginForm action=j_security_check table width=100% tr td colspan=2 c:if test=${param.error != null} div class=error style=margin-right: 0; margin-bottom: 3px; margin-top: 3px html:img pageKey=icon.warning.img altKey=icon.warning styleClass=icon/ fmt:message key=errors.password.mismatch/ /div /c:if /td /tr tr th label for=j_username class=required fmt:message key=label.username/*: /label /th td input type=text name=j_username id=j_username size=25 / /td /tr tr th label for=j_password class=required fmt:message key=label.password/*: /label /th td input type=password name=j_password id=j_password size=20 / /td /tr tr td/td td input type=checkbox name=rememberMe id=rememberMe / label for=rememberMefmt:message key=login.rememberMe//a !-- for Resin -- input type=hidden name=j_uri id=j_uri value= / /td /tr tr td/td td input type=submit name=login id=login value=Login / input type=reset name=reset id=reset value=Reset onclick=document.getElementById('j_username').focus() / /td /tr tr td/td tdbr /fmt:message key=login.signup//td /tr /table /form /div HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 2:11 PM To: Struts Users Mailing List Subject: Re: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml People answer questions without reading my original post. Therefore, I must re-type my original question again. Before I posted my question, I had configured the Tomcat JDBCRealm following the instructions at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html so that I can do security testing programmically, such as isUserInRole(), in my program. If I use form based authentication, I insert the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication (we provide login page and error page in the web.xml) does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? Thanks. --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. How authentication is performed (BASIC, form-based, DIGEST, or SSL client certificates) and how users are stored (database, directory server, local XML file, ...) are two separate questions. For most servers , any combination is possible. With Tomcat, for example, you can configure JDBCRealm to point at your user and role definitions in a database, and then use those users with any of the authentication methods. For more information, see: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html The choice between BASIC and form-based authentication, then, can be based on user interface related concerns, rather than worrying about a database. Craig --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http
Re: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
Logical paths work fine for me in web.xml (using tomcat 4.1.x): login-config auth-methodFORM/auth-method form-login-config form-login-page /do/login/edit /form-login-page form-error-page /do/login/fail /form-error-page /form-login-config /login-config Andrew At 03:11 PM 10/7/2003, you wrote: People answer questions without reading my original post. Therefore, I must re-type my original question again. Before I posted my question, I had configured the Tomcat JDBCRealm following the instructions at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html so that I can do security testing programmically, such as isUserInRole(), in my program. If I use form based authentication, I insert the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication (we provide login page and error page in the web.xml) does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? Thanks. --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. How authentication is performed (BASIC, form-based, DIGEST, or SSL client certificates) and how users are stored (database, directory server, local XML file, ...) are two separate questions. For most servers , any combination is possible. With Tomcat, for example, you can configure JDBCRealm to point at your user and role definitions in a database, and then use those users with any of the authentication methods. For more information, see: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html The choice between BASIC and form-based authentication, then, can be based on user interface related concerns, rather than worrying about a database. Craig --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
Thanks a lot, Andrew. I got the idea. --- Andrew Shirk [EMAIL PROTECTED] wrote: Logical paths work fine for me in web.xml (using tomcat 4.1.x): login-config auth-methodFORM/auth-method form-login-config form-login-page /do/login/edit /form-login-page form-error-page /do/login/fail /form-error-page /form-login-config /login-config Andrew At 03:11 PM 10/7/2003, you wrote: People answer questions without reading my original post. Therefore, I must re-type my original question again. Before I posted my question, I had configured the Tomcat JDBCRealm following the instructions at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html so that I can do security testing programmically, such as isUserInRole(), in my program. If I use form based authentication, I insert the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication (we provide login page and error page in the web.xml) does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? Thanks. --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. How authentication is performed (BASIC, form-based, DIGEST, or SSL client certificates) and how users are stored (database, directory server, local XML file, ...) are two separate questions. For most servers , any combination is possible. With Tomcat, for example, you can configure JDBCRealm to point at your user and role definitions in a database, and then use those users with any of the authentication methods. For more information, see: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html The choice between BASIC and form-based authentication, then, can be based on user interface related concerns, rather than worrying about a database. Craig --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page === message truncated === __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL
RE: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml
Hi Caroline, if I remember correctly, it is not possible to use Action servlet mappings for the login and error pages in tomcat. I do know for sure that it is recommended practice to keep those pages seperate programmatically and to view them as part of the container rather than part of your app. Check the archives for a few threads on that matter. Adam On 10/07/2003 12:44 AM Caroline Jen wrote: I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]