Hi, I saw your message asking me about the form-based container-managed authentication in Struts. I accidentally deleted your message and could not find your name and e-mail address.
The following steps are what should be done: 1. configure the JDBCRealm in the Tomcat server.xml, see http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html 2. container-managed, form-based authentication is completely handled by the server. That is to say, it is none of Struts business. Prepare your logon.jsp and error.jsp (do not use Struts tags). There is nothing wrong with your j_security_check, ..., etc. 3. in your web.xml, you have <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/signin/logon.jsp</form-login-page> <form-error-page>/signin/error.jsp</form-error-page> </form-login-config> </login-config> 4. Do not change your action forward in the struts-config.xml file (i.e. do not forward anything to logon.jsp because it has nothing to do with Struts) except add redirect="true". For example: <forward name="logon" redirect="true" path="/do/admin/Menu"/> Craig McClanahan wrote a detailed explanation on how it works (I am quoting what Craig said below): form-based login is triggered the first time that an unauthenticated user requests a URL that is protected by a security constraint. (1) Unauthenticated user requests a protected resource (*NOT* the login page!) (2) Container remembers the protected resource that was requested in a private variable. (3) Container displays the login page, which must have a destination of "j_security_check", and waits for the user submit. For some containers, including Tomcat, this is the one-and-only time that submitting to "j_security_check" will not return a 404. (4) User enters username and password, and presses the submit button. (5) the post to j_security_check is intercepted by your servlet container, which performs Container Managed Authentication - it looks for the j_username and j_password, authenticates the combination, and forwards to the originally requested resource, or to a configurable error page if the authentication (6) Container authenticates the username (j_username) and password (j_password) combination. If valid, container recalls the originally requested resource saved in (2) and displays *that* to the user in response to the login submit. Or forwards to a configurable error page if the authentication fails. The important point is that, at no time, did anyone ever submit a request to the URL of the login page, because there is no such thing. Also think of the login page as part of the container, not part of your app. Let me know if you have further questions. -Caroline __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]