Re: RE : Specifying roles for actions

[Eddie Bush]

Why would your login action have a role associated with it?!  ... isn't 
executing that action where you determine the role?  I ... think ... 
that might be your problem.  See - until a person is authenticated there 
is no prinicpal.  Until you have a principal, you don't have the 
associated role information loaded.  Until you have the associated roles 
loaded, you can't very well use it as criteria ...

Maybe I missed something in earlier banter on this topic.

Regards,

Eddie

Michael wrote:

>>You will most likely want to use a  and an
>> in your web.xml file if you want the container to
>>authenticate users automatically.  The "roles" attribute in
>>struts-config.xml lets you impose additional restrictions above and
>>
>beyond
>
>>whatever is set up in web.xml, but doesn't have any way to trigger
>>authentication in the first place.
>>
>
>I do in fact have this in my web.xml file.  In fact for the test1.jsp
>it's working properly.  So after this I add the "roles" to the action
>but the action gives me the error..
>
>Web.xml
>
>  
>
>  Test 1
>  /test1.jsp
>  GET
>  POST
>
>
>  idtect_readonly
>
>  
>  
>  BASIC
>  Idtect OEM Server
>  
>
>  
>idtect_readonly
>  
>
>Struts_config.xml
>
>
>   type="com.idtect.oemserver.web.LoginAction"
>   name="loginForm"
>   scope="request"
>   input="/login.jsp"
>   roles="idtect_readonly">>
>
>I get the following error:
>
>HTTP Status 400 - User is not authorized to access action /login
>
>
>--
>To unsubscribe, e-mail:   
>For additional commands, e-mail: 
>



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: Specifying roles for actions

[Max Cooper]

Michael,

I am glad you got it working.

> > I am not sure how much value the roles attribute for an
> > action has if it can't invoke the authentication sequence
> > (i.e. send you to the login page, and get you back to your
> > original request). It seems you would have to duplicate the
>
> I assumed Struts would in fact do this.  If it doesn't then I don't see
> how this feature can even be useful.  I definitely don't want my user to
> get an error message when they try to access the site.  Can someone
> confirm if Struts can provide this functionality (sending the user to a
> login page and then returning them to the original action requested)?

I think Struts might be able to do something tricky, but it probably isn't
worth the headache. I can imagine a sequence like this:

Scenario #1: not authorized
1. Request for action comes in, but the authenticated user does not meet the
role requirement.
2. Struts sets the 403 error code and returns, letting the container show
the 403 error page.
(it might do this already, but it seems weird that you got a 400 error page
that said "not authorized", so I am not sure)

Scenario #2: not authenticated
1. Request for action comes in, but the user is not authenticated.
2. Struts remembers the action requested and redirects to a special secured
URL.
3. The container sees that you aren't authenticated to access the special
secured URL and sends you to the login form.
4. You sumbit a login form, and get redirected to the special secured URL.
5. The response from the special secured URL is a redirect to the action you
originally requested.
6. Your request for the original action succeeds now that you are
authenticated and meet the role requirement.

The only problem here is keeping the POSTed parameters, if the original
request was a POST. This either requires special handling in Struts (to make
them available to the Action, but not any non-Actions you might forward to,
like a JSP) or a filter to make the posted parameters available to all
resources in the request. Perhaps there is an opportunity for synergy
between Struts and the SecurityFilter project here.

>
> > Also, watch out for specifying http-methods in web.xml, as
> > the settings won't match if the request is using a different
> > method. This might be okay if you want to ONLY allow GETs and
> > POSTs and block access to everything else with another
>
> You lost me.  What else is there besides GET & POST?  We're doing a
> basic webapp, HTML browser based.

Those are the two most important/common ones, but there are a bunch more
(OPTIONS, HEAD, PUT, DELETE, TRACE, CONNECT). Your actions will only respond
to GET and POST (is this right, listers?), so this probably isn't a major
issue. I suggest not specifying the http-method for your circumstances (so
the security-constraint will match all requests for the patterns, regardless
of the method), but like I said it probably isn't a major concern either
way. I wouldn't worry about it, but you might benefit from the opportunity
to reduce the bulk of your web.xml file.

-Max


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

RE : Specifying roles for actions

[Michael]

> You might need to make the request for /login.do (rather than 
> simply /login) depending on how your ActionServlet is mapped.

You were right on the money!  I changed the form to post to login.do and
now it works, but only if I'm already authenticated!  If I haven't
already authenticated, then I get the same error as before (400 - User
is not authorized to access action /login).  Which takes me to your next
point:
 
> I am not sure how much value the roles attribute for an 
> action has if it can't invoke the authentication sequence 
> (i.e. send you to the login page, and get you back to your 
> original request). It seems you would have to duplicate the 

I assumed Struts would in fact do this.  If it doesn't then I don't see
how this feature can even be useful.  I definitely don't want my user to
get an error message when they try to access the site.  Can someone
confirm if Struts can provide this functionality (sending the user to a
login page and then returning them to the original action requested)?

> Also, watch out for specifying http-methods in web.xml, as 
> the settings won't match if the request is using a different 
> method. This might be okay if you want to ONLY allow GETs and 
> POSTs and block access to everything else with another 

You lost me.  What else is there besides GET & POST?  We're doing a
basic webapp, HTML browser based.

Thanks for the help,
Michael


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: Specifying roles for actions

[Max Cooper]

Michael,

Have you tried accessing /test1.jsp first to get authenticated?

The 400 error indicates that the resource was not found. 403 is the error
code for "not authorized". I have noticed that you can get 400 errors if
there is a FileNotFoundException thrown while handling the request, even if
the request mapped to a "real" resource like a Struts action.

You might need to make the request for /login.do (rather than simply /login)
depending on how your ActionServlet is mapped.

I am not sure how much value the roles attribute for an action has if it
can't invoke the authentication sequence (i.e. send you to the login page,
and get you back to your original request). It seems you would have to
duplicate the settings with url-mappings in web.xml to get the just-in-time
authentication that you probably want. At that point, there doesn't seem to
be any reason to duplicate the role requirement in struts-config.xml (and
the downside that you would have to maintain the information in two places).
On the other hand, it might be useful to specify the roles in
struts-config.xml because it is easier for the action implementor to specify
them there. If you had a script that would then read the struts-config.xml
to produce matching settings in web.xml, it might be of value.

Also, watch out for specifying http-methods in web.xml, as the settings
won't match if the request is using a different method. This might be okay
if you want to ONLY allow GETs and POSTs and block access to everything else
with another security-constraint like this:


   
  Block all requests not specifically granted by
other constraints
  /*
   
   
  
   


Watch out, though, as this "no access" constraint will be matched before any
"extension mappings" like *.do or *.jsp. Exact patterns like /test1.jsp and
longer path patterns like /auth/* will be evaluated first, however.

-Max

- Original Message -
From: "Michael" <[EMAIL PROTECTED]>
To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]>
Sent: Thursday, August 22, 2002 12:58 AM
Subject: RE : Specifying roles for actions


> > You will most likely want to use a  and an
> >  in your web.xml file if you want the container to
> > authenticate users automatically.  The "roles" attribute in
> > struts-config.xml lets you impose additional restrictions above and
> beyond
> > whatever is set up in web.xml, but doesn't have any way to trigger
> > authentication in the first place.
>
> I do in fact have this in my web.xml file.  In fact for the test1.jsp
> it's working properly.  So after this I add the "roles" to the action
> but the action gives me the error..
>
> Web.xml
>
>   
> 
>   Test 1
>   /test1.jsp
>   GET
>   POST
> 
> 
>   idtect_readonly
> 
>   
>   
>   BASIC
>   Idtect OEM Server
>   
>
>   
> idtect_readonly
>   
>
> Struts_config.xml
>
> 
> type="com.idtect.oemserver.web.LoginAction"
>name="loginForm"
>scope="request"
>input="/login.jsp"
>roles="idtect_readonly">>
>
> I get the following error:
>
> HTTP Status 400 - User is not authorized to access action /login
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE : Specifying roles for actions

[Michael]

> You will most likely want to use a  and an
>  in your web.xml file if you want the container to
> authenticate users automatically.  The "roles" attribute in
> struts-config.xml lets you impose additional restrictions above and
beyond
> whatever is set up in web.xml, but doesn't have any way to trigger
> authentication in the first place.

I do in fact have this in my web.xml file.  In fact for the test1.jsp
it's working properly.  So after this I add the "roles" to the action
but the action gives me the error..

Web.xml

  

  Test 1
  /test1.jsp
  GET
  POST


  idtect_readonly

  
  
  BASIC
  Idtect OEM Server
  

  
idtect_readonly
  

Struts_config.xml


>

I get the following error:

HTTP Status 400 - User is not authorized to access action /login


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: Specifying roles for actions

[Craig R. McClanahan]

You will most likely want to use a  and an
 in your web.xml file if you want the container to
authenticate users automatically.  The "roles" attribute in
struts-config.xml lets you impose additional restrictions above and beyond
whatever is set up in web.xml, but doesn't have any way to trigger
authentication in the first place.

Craig

On Wed, 21 Aug 2002, Michael wrote:

> Date: Wed, 21 Aug 2002 12:24:38 +0200
> From: Michael <[EMAIL PROTECTED]>
> Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> To: Struts Users Mailing List <[EMAIL PROTECTED]>
> Subject: Specifying roles for actions
>
> I just got J2EE container managed security working and now I'd like to
> add roles to my struts action.  I downloaded the Struts 1.1b2 and have
> it installed.  When I add a role to my action:
>
> 
> type="com.idtect.oemserver.web.LoginAction"
>name="loginForm"
>   scope="request"
>   input="/login.jsp"
>   roles="idtect_readonly">
>
> I get the following error:
>
> HTTP Status 400 - User is not authorized to access action /login
>
> I was expecting it to display a login box.  So then I protected a JSP
> using the web.xml file and accessed the JSP  (getting the login box and
> logging in).  I retried my action and got the same error.  This puzzled
> me because I was already logged in.
>
> I know this is a new feature, but if anyone has any examples or a link
> to some documentation on this I'd greatly appreciate.  The thought of
> specifying security for each action in my web.xml really bothers me.  I
> think this roles attribute is a great addition to Struts.
>
> Michael
>
>
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Specifying roles for actions

[Michael]

I just got J2EE container managed security working and now I'd like to
add roles to my struts action.  I downloaded the Struts 1.1b2 and have
it installed.  When I add a role to my action:




I get the following error:

HTTP Status 400 - User is not authorized to access action /login

I was expecting it to display a login box.  So then I protected a JSP
using the web.xml file and accessed the JSP  (getting the login box and
logging in).  I retried my action and got the same error.  This puzzled
me because I was already logged in.

I know this is a new feature, but if anyone has any examples or a link
to some documentation on this I'd greatly appreciate.  The thought of
specifying security for each action in my web.xml really bothers me.  I
think this roles attribute is a great addition to Struts.

Michael


--
To unsubscribe, e-mail:   
For additional commands, e-mail: