Re: form based auth and session timeout and post data
Martin, I'm not familiar with xpetstore, so I didn't say anything when I read that you had container-managed security and a sign-on filter redirecting unauthenticated users. Basically you have made the sign-on filter redundant by implementing container-managed security. However that's not to say that the sign-on filter doesn't do other stuff as well - I don't know. One thing for instance could be that it puts user information into the session so you don't need to repeatedly fetch the info with each request. The filter won't be by-passed - it's not affected by the app you're running, only by tomcat 'filtering' on the URL and passing it the requests it's been configured to see in the web.xml. Adam On 03/25/2004 10:35 PM Martin Alley wrote: Hi Adam, I modified the filter from xpetstore when I introduced container based security. It should now redirect the user to the signonAction to synchronise container based auth with session based (legacy) record of the logged in user. Thinking about it there could be some problems in there, but in the session timeout scenario, the SignonFilter doesn't get hit straight away (unlike the non-timeout scenario). I guess the order of play is: Container based security Filter ActionServlet Can't work out why the filter would appear to be bypassed. Any ideas? Thanks for helping. Martin -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 25 March 2004 21:18 To: Struts Users Mailing List Subject: Re: form based auth and session timeout and post data That's one mean filter. It's not part of struts but judging merely from its name, it's obviously built into the app security. What does xpetstore say it's meant to do? Have you checked the filter's javadoc? Adam On 03/25/2004 10:07 PM Martin Alley wrote: Hi, I've got a struts based app using form based authentication (started out as xpetstore). I have a situation where if I'm on a web form protected by role based security, and the session times out, and then I submit the form, I get to the login page, login, but then the original form data is lost. According to the log data, it's looking for an ActionForm of a different name according to whether the session has timed out or not!!! I thought this stuff was statically configured. When there is no time out, the log looks like this: 2004-03-25 19:40:19,350 INFO [xpetstore.web.filter.SignOnFilter] doFilter() 2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] user=bug1b 2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] isSignedIn=true 2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] uri=/MotoringMemorabilia/updateCustomer.jspa 2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] _login=/login.jspa 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] Get module name for path /updateCustomer.jspa 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] Module name found: default 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.action.RequestProcessor] Processing a 'POST' for path '/updateCustomer' 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] Looking for ActionForm bean instance in scope 'request' under attribute key 'existingCustomerForm' 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] Creating new ActionForm instance of type 'xpetstore.web.struts.action.customer.ExistingCustomerForm' 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] --> [EMAIL PROTECTED] 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.action.RequestProcessor] Storing ActionForm bean instance in scope 'request' under attribute key 'existingCustomerForm' 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.action.RequestProcessor] Populating bean properties from this request 2004-03-25 19:40:19,360 DEBUG [org.apache.struts.action.RequestProcessor] Validating input form properties 2004-03-25 19:40:19,370 DEBUG [org.apache.struts.action.RequestProcessor] No errors detected, accepting input 2004-03-25 19:40:19,370 DEBUG [org.apache.struts.action.RequestProcessor] Looking for Action instance for class xpetstore.web.struts.action.customer.UpdateCustomerAction 2004-03-25 19:40:19,370 DEBUG [org.apache.struts.action.RequestProcessor] Creating new Action instance 2004-03-25 19:40:19,370 INFO [xpetstore.web.struts.action.customer.UpdateCustomerAction] execute() When there is a timeout the log goes like this: 2004-03-25 20:10:56,908 DEBUG [org.apache.struts.util.RequestUtils] Looking for ActionForm bean instance in scope 'request' under attribute key 'newCustomerForm' 2004-03-25 20:10:56,908 DEBUG [org.apache.struts.util.RequestUtils] Creating new ActionForm instance of type 'xpetstore.web.struts.actio
RE: form based auth and session timeout and post data
Hi Adam, I modified the filter from xpetstore when I introduced container based security. It should now redirect the user to the signonAction to synchronise container based auth with session based (legacy) record of the logged in user. Thinking about it there could be some problems in there, but in the session timeout scenario, the SignonFilter doesn't get hit straight away (unlike the non-timeout scenario). I guess the order of play is: Container based security Filter ActionServlet Can't work out why the filter would appear to be bypassed. Any ideas? Thanks for helping. Martin -Original Message- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 25 March 2004 21:18 To: Struts Users Mailing List Subject: Re: form based auth and session timeout and post data That's one mean filter. It's not part of struts but judging merely from its name, it's obviously built into the app security. What does xpetstore say it's meant to do? Have you checked the filter's javadoc? Adam On 03/25/2004 10:07 PM Martin Alley wrote: > Hi, > > > > I've got a struts based app using form based authentication (started out > as xpetstore). > > I have a situation where if I'm on a web form protected by role based > security, and the session times out, and then I submit the form, I get > to the login page, login, but then the original form data is lost. > > > > According to the log data, it's looking for an ActionForm of a different > name according to whether the session has timed out or not!!! > > I thought this stuff was statically configured. > > > > When there is no time out, the log looks like this: > > 2004-03-25 19:40:19,350 INFO [xpetstore.web.filter.SignOnFilter] > doFilter() > > 2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] > user=bug1b > > 2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] > isSignedIn=true > > 2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] > uri=/MotoringMemorabilia/updateCustomer.jspa > > 2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] > _login=/login.jspa > > 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] Get > module name for path /updateCustomer.jspa > > 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] > Module name found: default > > 2004-03-25 19:40:19,350 DEBUG > [org.apache.struts.action.RequestProcessor] Processing a 'POST' for path > '/updateCustomer' > > 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] > Looking for ActionForm bean instance in scope 'request' under attribute > key 'existingCustomerForm' > > 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] > Creating new ActionForm instance of type > 'xpetstore.web.struts.action.customer.ExistingCustomerForm' > > 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] --> > [EMAIL PROTECTED] > > 2004-03-25 19:40:19,350 DEBUG > [org.apache.struts.action.RequestProcessor] Storing ActionForm bean > instance in scope 'request' under attribute key 'existingCustomerForm' > > 2004-03-25 19:40:19,350 DEBUG > [org.apache.struts.action.RequestProcessor] Populating bean properties > from this request > > 2004-03-25 19:40:19,360 DEBUG > [org.apache.struts.action.RequestProcessor] Validating input form > properties > > 2004-03-25 19:40:19,370 DEBUG > [org.apache.struts.action.RequestProcessor] No errors detected, > accepting input > > 2004-03-25 19:40:19,370 DEBUG > [org.apache.struts.action.RequestProcessor] Looking for Action instance > for class xpetstore.web.struts.action.customer.UpdateCustomerAction > > 2004-03-25 19:40:19,370 DEBUG > [org.apache.struts.action.RequestProcessor] Creating new Action > instance > > 2004-03-25 19:40:19,370 INFO > [xpetstore.web.struts.action.customer.UpdateCustomerAction] execute() > > > > > > > > When there is a timeout the log goes like this: > > 2004-03-25 20:10:56,908 DEBUG [org.apache.struts.util.RequestUtils] > Looking for ActionForm bean instance in scope 'request' under attribute > key 'newCustomerForm' > > 2004-03-25 20:10:56,908 DEBUG [org.apache.struts.util.RequestUtils] > Creating new ActionForm instance of type > 'xpetstore.web.struts.action.customer.NewCustomerForm' > > 2004-03-25 20:10:56,908 DEBUG [org.apache.struts.util.RequestUtils] --> > [EMAIL PROTECTED] > > 2004-03-25 20:10:56,918 DEBUG [org.apache.struts.util.RequestUtils] Get > module name for path /index.jsp > > 2004-03-25 20:10:56,928 DEBUG
Re: form based auth and session timeout and post data
That's one mean filter. It's not part of struts but judging merely from its name, it's obviously built into the app security. What does xpetstore say it's meant to do? Have you checked the filter's javadoc? Adam On 03/25/2004 10:07 PM Martin Alley wrote: Hi, I've got a struts based app using form based authentication (started out as xpetstore). I have a situation where if I'm on a web form protected by role based security, and the session times out, and then I submit the form, I get to the login page, login, but then the original form data is lost. According to the log data, it's looking for an ActionForm of a different name according to whether the session has timed out or not!!! I thought this stuff was statically configured. When there is no time out, the log looks like this: 2004-03-25 19:40:19,350 INFO [xpetstore.web.filter.SignOnFilter] doFilter() 2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] user=bug1b 2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] isSignedIn=true 2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] uri=/MotoringMemorabilia/updateCustomer.jspa 2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] _login=/login.jspa 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] Get module name for path /updateCustomer.jspa 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] Module name found: default 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.action.RequestProcessor] Processing a 'POST' for path '/updateCustomer' 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] Looking for ActionForm bean instance in scope 'request' under attribute key 'existingCustomerForm' 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] Creating new ActionForm instance of type 'xpetstore.web.struts.action.customer.ExistingCustomerForm' 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] --> [EMAIL PROTECTED] 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.action.RequestProcessor] Storing ActionForm bean instance in scope 'request' under attribute key 'existingCustomerForm' 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.action.RequestProcessor] Populating bean properties from this request 2004-03-25 19:40:19,360 DEBUG [org.apache.struts.action.RequestProcessor] Validating input form properties 2004-03-25 19:40:19,370 DEBUG [org.apache.struts.action.RequestProcessor] No errors detected, accepting input 2004-03-25 19:40:19,370 DEBUG [org.apache.struts.action.RequestProcessor] Looking for Action instance for class xpetstore.web.struts.action.customer.UpdateCustomerAction 2004-03-25 19:40:19,370 DEBUG [org.apache.struts.action.RequestProcessor] Creating new Action instance 2004-03-25 19:40:19,370 INFO [xpetstore.web.struts.action.customer.UpdateCustomerAction] execute() When there is a timeout the log goes like this: 2004-03-25 20:10:56,908 DEBUG [org.apache.struts.util.RequestUtils] Looking for ActionForm bean instance in scope 'request' under attribute key 'newCustomerForm' 2004-03-25 20:10:56,908 DEBUG [org.apache.struts.util.RequestUtils] Creating new ActionForm instance of type 'xpetstore.web.struts.action.customer.NewCustomerForm' 2004-03-25 20:10:56,908 DEBUG [org.apache.struts.util.RequestUtils] --> [EMAIL PROTECTED] 2004-03-25 20:10:56,918 DEBUG [org.apache.struts.util.RequestUtils] Get module name for path /index.jsp 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Module name found: default 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Get module name for path /cart.jspa 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Module name found: default 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Get module name for path /signon.jspa 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Module name found: default 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Get module name for path /search.jspa 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Module name found: default 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Looking for ActionForm bean instance in scope 'request' under attribute key 'searchForm' 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Creating new ActionForm instance of type 'xpetstore.web.struts.action.product.SearchForm' 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] --> [EMAIL PROTECTED] 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Get module name for path /index.jsp 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Module name found: default 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Get module name for path /category.jspa?categoryId=SIGNS The relevant action configuration looks like this: path="/updateCustomer" type="xpetstore.