user login authentication and session timeout
I'm looking for examples or to be pointed in the right direction on how to achieve the following. I want my users to be able to access a mojority of my pages without having to login, but if they select a specific page a small login pop-up window would display which would require a valid user name and password. I also want the session to time-out after a period of time. Any ides? Charles (Allen) Jordan [EMAIL PROTECTED] System Administrator(407)771-8919 Convergys 285 International Parkway, Lake Mary, FL 32746-5007 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: user login authentication and session timeout
Hi, You can consider the following ways: 1) You can associate an action class for the page that requires a username and password. In that action class you can prompt for username and password. Have a separate action class for the urls that doesn't require login. 2). Have a query string appended to every URL (http://mydomain/mywebapp/myaction.do?login=NA) for the action that does not require login. And http://mydomain/mywebapp/myaction.do?login=REQUIRED). Map the urls that requires username and password to an action class and you can do the validation in this action class. You can specify the session time out in web.xml file for your web app.Refer the code snippet below. session-config session-timeout30/session-timeout!-- 30 minutes -- /session-config HTH Ram Kumar. -Original Message- From: Charles Jordan [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 23, 2004 12:05 AM To: [EMAIL PROTECTED] Subject: user login authentication and session timeout I'm looking for examples or to be pointed in the right direction on how to achieve the following. I want my users to be able to access a mojority of my pages without having to login, but if they select a specific page a small login pop-up window would display which would require a valid user name and password. I also want the session to time-out after a period of time. Any ides? Charles (Allen) Jordan [EMAIL PROTECTED] System Administrator(407)771-8919 Convergys 285 International Parkway, Lake Mary, FL 32746-5007 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: user login authentication and session timeout
Charles, you can use container managed security or the SecurityFilter to authenticate users when accessing protected resources. You can set the session time out by adding something like the following to your web.xml file: session-config session-timeout60/session-timeout /session-config You can find more information on SecurityFilter here: http://sourceforge.net/projects/securityfilter/ Your servlet container documentation should let you know how to implement container managed security. robert -Original Message- From: Charles Jordan [mailto:[EMAIL PROTECTED] Sent: Monday, March 22, 2004 1:35 PM To: [EMAIL PROTECTED] Subject: user login authentication and session timeout I'm looking for examples or to be pointed in the right direction on how to achieve the following. I want my users to be able to access a mojority of my pages without having to login, but if they select a specific page a small login pop-up window would display which would require a valid user name and password. I also want the session to time-out after a period of time. Any ides? Charles (Allen) Jordan [EMAIL PROTECTED] System Administrator(407)771-8919 Convergys 285 International Parkway, Lake Mary, FL 32746-5007 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Form based authentication in tomcat with struts
Hi I have successfully set up tomcat to protect various parts of my application using JDBCrealm and form-based-authentication, and it all works fine. Now i have written a system whereby new users can register and it creates them their chosen username and puts them in the right roles in the database. Now what i want to be able to do is have my servlet automatically log them in as the register without the need for them to be redirected to the login-form and re-enter their username and password. I am presuming this is possible as i log my users out by invoking request.getSession().invalidate(); in my logoff servlet, so my question is how do i create their session without using the default login form? Thanks Edd - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Form based authentication in tomcat with struts
On 03/04/2004 09:28 PM Edd Dawson wrote: Now what i want to be able to do is have my servlet automatically log them in as the register without the need for them to be redirected to the login-form and re-enter their username and password. I am presuming this is possible as i log my users out by invoking request.getSession().invalidate(); in my logoff servlet, so my question is how do i create their session without using the default login form? There's nothing built-in to allow this in the servlet spec or in tomcat. Sorry. I've heard of it being done, but not by any nice or easy methods. Adam -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: servlet filters and authentication
Hi,
I checked out SecurityFilter yesterday, after Robert Taylors
recommendation, and have looked through a good bit of the source.
I'm probably going to use your package once i get this thing closer to
its final state. It looks like a great program.
I like to write my own lite versions of packages i use, if possible,
just to feel that i really know whats going on. I even did this with
struts, believe it or not. I wrote a struts lite that uses a controller,
action forms and actions, and an xml config file. I used it for a couple
of small projects, and now that i've got a handle on the basic idea, i
feel i can use the real Struts with more confidence. Right now
concentrating on becoming very familier with Struts, once i get that
down, in a couple of weeks i'll pop your Security Filter in.
dave
On Fri, 2004-02-27 at 01:31, Max Cooper wrote:
I'm the primary author of the SecurityFilter project, and the filter
logic is a bit more complicated than the code that was posted. Even if
you decide not to use SecurityFilter, it is probably worth a look at the
doFilter() method.
Some issues that you will/may have to deal with:
1. Filter getting executed on forwards (depends on your container).
2. Sending the user back to the page they requested when the login
sequence was initiated (a key feature, IMO).
3. Keeping request parameters (both GET and POST) across the login
event.
4. Sending the user to an error page when the login fails.
5. Allowing login form and error page requests to be processed without
invoking the login sequence.
6. Knowing what to do / where to send the user if they authenticate
spontaneously (i.e. when they weren't sent to the login form by your
filter).
Basically, there's a lot of stuff to deal with even though it seems
simple at first. :-) If you can use container-managed security or
SecurityFilter, you'll probably save yourself some time that would
otherwise be spent dealing with these issues. It is worth investigating
the existing solutions before rolling your own.
-Max
On Thu, 2004-02-26 at 09:20, Robert Taylor wrote:
You may want to see if this supports your requirements:
https://sourceforge.net/projects/securityfilter/
robert
-Original Message-
From: David Evans [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 26, 2004 12:07 PM
To: Struts Users Mailing List
Subject: servlet filters and authentication
Hello,
I'm configuring the skeleton of a multi module struts application, and i
would like use a filter for the authentication.
here is psuedojava (for easier reading) of the filter:
public final class AuthFilter implements Filter {
public void doFilter(request, response, chain)
session = request.getSession();
auth = session.getAttribute(authenticated);
if (auth == true) {
chain.doFilter(request, response);
return;
}
else {
dispatcher =
request.getRequestDispatcher(/WEB-INF/jsp/security/login.jsp);
dispatcher.forward (request, response);
return;
}
}
}
I've seen this skeleton suggested in several places on the web.
The question i have is this: After the user submits the login form,
the request will come through the filter, and since it has not yet
been authenticated, it will again forward to the login.jsp.
I've thought of a couple of ways to deal with this and
would like to get input on these and any other approaches.
1) set the mapping of the filter in web.xml in such a way that it
allows the login action through. maybe set all actions to have an
extension of .do except the login action, which has an extension of
.auth. I don't think this will work for me, because the multi module
support of Struts requires extension mapping. I guess i could write a
small serlvet that is not in the struts mapping but is in the same context
and have it mapped to *.auth
2) check within the above filter to see if the request is for the login
action, and if so allow it through. so the if statement above would be:
if (auth == true || req.getPath().equals(login.do))
Any comments on these ideas or approaches i haven't listed would be
greatly appreciated.
dave
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED
servlet filters and authentication
Hello,
I'm configuring the skeleton of a multi module struts application, and i
would like use a filter for the authentication.
here is psuedojava (for easier reading) of the filter:
public final class AuthFilter implements Filter {
public void doFilter(request, response, chain)
session = request.getSession();
auth = session.getAttribute(authenticated);
if (auth == true) {
chain.doFilter(request, response);
return;
}
else {
dispatcher =
request.getRequestDispatcher(/WEB-INF/jsp/security/login.jsp);
dispatcher.forward (request, response);
return;
}
}
}
I've seen this skeleton suggested in several places on the web.
The question i have is this: After the user submits the login form,
the request will come through the filter, and since it has not yet
been authenticated, it will again forward to the login.jsp.
I've thought of a couple of ways to deal with this and
would like to get input on these and any other approaches.
1) set the mapping of the filter in web.xml in such a way that it
allows the login action through. maybe set all actions to have an
extension of .do except the login action, which has an extension of
.auth. I don't think this will work for me, because the multi module
support of Struts requires extension mapping. I guess i could write a
small serlvet that is not in the struts mapping but is in the same context
and have it mapped to *.auth
2) check within the above filter to see if the request is for the login
action, and if so allow it through. so the if statement above would be:
if (auth == true || req.getPath().equals(login.do))
Any comments on these ideas or approaches i haven't listed would be
greatly appreciated.
dave
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: servlet filters and authentication
Forward to logon.do, and have the Action check for four cases:
1. no request parameters, display logon form
2. invalid request parameters, display errors
3. unable to authenticate with valid parameters, display error
4. parameters authenticate, forward to home page
Rick DeBay
On Thu, 26 Feb 2004 12:06 , David Evans [EMAIL PROTECTED] sent:
Hello,
I'm configuring the skeleton of a multi module struts application, and i
would like use a filter for the authentication.
here is psuedojava (for easier reading) of the filter:
public final class AuthFilter implements Filter {
public void doFilter(request, response, chain)
session = request.getSession();
auth = session.getAttribute(authenticated);
if (auth == true) {
chain.doFilter(request, response);
return;
}
else {
dispatcher =
request.getRequestDispatcher(/WEB-INF/jsp/security/login.jsp);
dispatcher.forward (request, response);
return;
}
}
}
I've seen this skeleton suggested in several places on the web.
The question i have is this: After the user submits the login form,
the request will come through the filter, and since it has not yet
been authenticated, it will again forward to the login.jsp.
I've thought of a couple of ways to deal with this and
would like to get input on these and any other approaches.
1) set the mapping of the filter in web.xml in such a way that it
allows the login action through. maybe set all actions to have an
extension of .do except the login action, which has an extension of
.auth. I don't think this will work for me, because the multi module
support of Struts requires extension mapping. I guess i could write a
small serlvet that is not in the struts mapping but is in the same context
and have it mapped to *.auth
2) check within the above filter to see if the request is for the login
action, and if so allow it through. so the if statement above would be:
if (auth == true || req.getPath().equals(login.do))
Any comments on these ideas or approaches i haven't listed would be
greatly appreciated.
dave
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: servlet filters and authentication
Thank you. I knew i was overlooking something simple.
On Thu, 2004-02-26 at 15:12, [EMAIL PROTECTED] wrote:
Forward to logon.do, and have the Action check for four cases:
1. no request parameters, display logon form
2. invalid request parameters, display errors
3. unable to authenticate with valid parameters, display error
4. parameters authenticate, forward to home page
Rick DeBay
On Thu, 26 Feb 2004 12:06 , David Evans [EMAIL PROTECTED] sent:
Hello,
I'm configuring the skeleton of a multi module struts application, and i
would like use a filter for the authentication.
here is psuedojava (for easier reading) of the filter:
public final class AuthFilter implements Filter {
public void doFilter(request, response, chain)
session = request.getSession();
auth = session.getAttribute(authenticated);
if (auth == true) {
chain.doFilter(request, response);
return;
}
else {
dispatcher =
request.getRequestDispatcher(/WEB-INF/jsp/security/login.jsp);
dispatcher.forward (request, response);
return;
}
}
}
I've seen this skeleton suggested in several places on the web.
The question i have is this: After the user submits the login form,
the request will come through the filter, and since it has not yet
been authenticated, it will again forward to the login.jsp.
I've thought of a couple of ways to deal with this and
would like to get input on these and any other approaches.
1) set the mapping of the filter in web.xml in such a way that it
allows the login action through. maybe set all actions to have an
extension of .do except the login action, which has an extension of
.auth. I don't think this will work for me, because the multi module
support of Struts requires extension mapping. I guess i could write a
small serlvet that is not in the struts mapping but is in the same context
and have it mapped to *.auth
2) check within the above filter to see if the request is for the login
action, and if so allow it through. so the if statement above would be:
if (auth == true || req.getPath().equals(login.do))
Any comments on these ideas or approaches i haven't listed would be
greatly appreciated.
dave
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: servlet filters and authentication
I'm the primary author of the SecurityFilter project, and the filter
logic is a bit more complicated than the code that was posted. Even if
you decide not to use SecurityFilter, it is probably worth a look at the
doFilter() method.
Some issues that you will/may have to deal with:
1. Filter getting executed on forwards (depends on your container).
2. Sending the user back to the page they requested when the login
sequence was initiated (a key feature, IMO).
3. Keeping request parameters (both GET and POST) across the login
event.
4. Sending the user to an error page when the login fails.
5. Allowing login form and error page requests to be processed without
invoking the login sequence.
6. Knowing what to do / where to send the user if they authenticate
spontaneously (i.e. when they weren't sent to the login form by your
filter).
Basically, there's a lot of stuff to deal with even though it seems
simple at first. :-) If you can use container-managed security or
SecurityFilter, you'll probably save yourself some time that would
otherwise be spent dealing with these issues. It is worth investigating
the existing solutions before rolling your own.
-Max
On Thu, 2004-02-26 at 09:20, Robert Taylor wrote:
You may want to see if this supports your requirements:
https://sourceforge.net/projects/securityfilter/
robert
-Original Message-
From: David Evans [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 26, 2004 12:07 PM
To: Struts Users Mailing List
Subject: servlet filters and authentication
Hello,
I'm configuring the skeleton of a multi module struts application, and i
would like use a filter for the authentication.
here is psuedojava (for easier reading) of the filter:
public final class AuthFilter implements Filter {
public void doFilter(request, response, chain)
session = request.getSession();
auth = session.getAttribute(authenticated);
if (auth == true) {
chain.doFilter(request, response);
return;
}
else {
dispatcher =
request.getRequestDispatcher(/WEB-INF/jsp/security/login.jsp);
dispatcher.forward (request, response);
return;
}
}
}
I've seen this skeleton suggested in several places on the web.
The question i have is this: After the user submits the login form,
the request will come through the filter, and since it has not yet
been authenticated, it will again forward to the login.jsp.
I've thought of a couple of ways to deal with this and
would like to get input on these and any other approaches.
1) set the mapping of the filter in web.xml in such a way that it
allows the login action through. maybe set all actions to have an
extension of .do except the login action, which has an extension of
.auth. I don't think this will work for me, because the multi module
support of Struts requires extension mapping. I guess i could write a
small serlvet that is not in the struts mapping but is in the same context
and have it mapped to *.auth
2) check within the above filter to see if the request is for the login
action, and if so allow it through. so the if statement above would be:
if (auth == true || req.getPath().equals(login.do))
Any comments on these ideas or approaches i haven't listed would be
greatly appreciated.
dave
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: servlet filters and authentication
We overrode the execute method on our BaseAction to call a protected
executeSessionAuthorization which by default just checks for user to be
logged in. Results of the executeSessionAuthorization are thrown as
exceptions (if okay, no exception).
To determine if the executeSessionValidation gets called, our
BaseActionMapping has a property called secure which defaults to true.
public ActionForward execute(
ActionMapping mapping,
ActionForm form,
HttpServletRequest request,
HttpServletResponse response)
throws Exception
{
// if we are using a SmoActionMapping
if (mapping instanceof SmoActionMapping)
{
SmoActionMapping sam = (SmoActionMapping) mapping;
// should we validate the session?
if (sam.isSecure())
{
executeSessionAuthorization(request);
}
if (sam.isBoxStatus())
{
executeBoxStatus();
}
// see if we know what method to call
String execute = (sam.getExecute() == null) ?
executeInternal : sam.getExecute();
return this.dispatchMethod(mapping, form, request,
response, execute);
}
// if we get here, then let the super take control
return super.execute(mapping, form, request, response);
}
Child actions, based on modules can override the
executeSessionAuthorization to do additional checking for specific user
permissions flags, etc. Some of our logic got pretty complex for
permissions and this worked extremely well for what we were trying to
accomplish.
-Jake
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: None
To: Struts Users Mailing List
Subject: Re: servlet filters and authentication
Forward to logon.do, and have the Action check for four cases:
1. no request parameters, display logon form
2. invalid request parameters, display errors
3. unable to authenticate with valid parameters, display error
4. parameters authenticate, forward to home page
Rick DeBay
On Thu, 26 Feb 2004 12:06 , David Evans [EMAIL PROTECTED] sent:
Hello,
I'm configuring the skeleton of a multi module struts application, and i
would like use a filter for the authentication.
here is psuedojava (for easier reading) of the filter:
public final class AuthFilter implements Filter {
public void doFilter(request, response, chain)
session = request.getSession();
auth = session.getAttribute(authenticated);
if (auth == true) {
chain.doFilter(request, response);
return;
}
else {
dispatcher =
request.getRequestDispatcher(/WEB-INF/jsp/security/login.jsp);
dispatcher.forward (request, response);
return;
}
}
}
I've seen this skeleton suggested in several places on the web.
The question i have is this: After the user submits the login form,
the request will come through the filter, and since it has not yet
been authenticated, it will again forward to the login.jsp.
I've thought of a couple of ways to deal with this and
would like to get input on these and any other approaches.
1) set the mapping of the filter in web.xml in such a way that it
allows the login action through. maybe set all actions to have an
extension of .do except the login action, which has an extension of
.auth. I don't think this will work for me, because the multi module
support of Struts requires extension mapping. I guess i could write a
small serlvet that is not in the struts mapping but is in the same context
and have it mapped to *.auth
2) check within the above filter to see if the request is for the login
action, and if so allow it through. so the if statement above would be:
if (auth == true || req.getPath().equals(login.do))
Any comments on these ideas or approaches i haven't listed would be
greatly appreciated.
dave
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: servlet filters and authentication
You may want to see if this supports your requirements:
https://sourceforge.net/projects/securityfilter/
robert
-Original Message-
From: David Evans [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 26, 2004 12:07 PM
To: Struts Users Mailing List
Subject: servlet filters and authentication
Hello,
I'm configuring the skeleton of a multi module struts application, and i
would like use a filter for the authentication.
here is psuedojava (for easier reading) of the filter:
public final class AuthFilter implements Filter {
public void doFilter(request, response, chain)
session = request.getSession();
auth = session.getAttribute(authenticated);
if (auth == true) {
chain.doFilter(request, response);
return;
}
else {
dispatcher =
request.getRequestDispatcher(/WEB-INF/jsp/security/login.jsp);
dispatcher.forward (request, response);
return;
}
}
}
I've seen this skeleton suggested in several places on the web.
The question i have is this: After the user submits the login form,
the request will come through the filter, and since it has not yet
been authenticated, it will again forward to the login.jsp.
I've thought of a couple of ways to deal with this and
would like to get input on these and any other approaches.
1) set the mapping of the filter in web.xml in such a way that it
allows the login action through. maybe set all actions to have an
extension of .do except the login action, which has an extension of
.auth. I don't think this will work for me, because the multi module
support of Struts requires extension mapping. I guess i could write a
small serlvet that is not in the struts mapping but is in the same context
and have it mapped to *.auth
2) check within the above filter to see if the request is for the login
action, and if so allow it through. so the if statement above would be:
if (auth == true || req.getPath().equals(login.do))
Any comments on these ideas or approaches i haven't listed would be
greatly appreciated.
dave
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
BASIC authentication error
Hello, I use Struts 1.1 and WSAD 4. I have a BASIC authentication defined in my web.xml When I open the restricted page, I can see the window pop up authentication. If I enter the correct loginpass, I'm forwarded to the good page. But if I click the cancel button, I get a white page. I'd like to go to my error page defined for http 401 error! The page /error.jsp is not in a restricted area. Do you have an idee??? Thanks in advance. julien In my web.xml : error-page exception-type401/exception-type location/error.jsp/location /error-page error-page error-code403/error-code location/error.jsp/location /error-page
Re: handling form based authentication w/ remember-me cookie
Chris, Resin has two extensions that makes this easy j_uri and j_use_cookie_auth. But I think we are both using tomcat which doesn't have any extensions for this scenario. Here is how i do it and have seen done many places. You post your logins, not to j_security_check, but to somewhere else; or maybe write a login servlet to handle the login after you create and store the remember-me cookie before sending a redirect to j_security_check. Doing it this way gives you greater flexibility especially if you want to do things with JAAS such as store Principal in the session. I think that roller uses a LoginServlet so you can have a look at their code. A note about storing passwords in cookies. Encode the password. Do not store the userid with the password in the cookie, store some id associated with the user id. You can generate a one-way hash (MD5) of the contents of the cookie with a secret key only known to the server. This way when you get the cookie back you can compare it to make sure it wasn't altered. Many open source java projects store passwords in cookies insecurely so beware of that if you are going to use that as reference. On , 2004-01-13 at 16:32, Chris Ruegger wrote: Craig, Ok fair enough. If the spec says it is undefined, that what is one to do? Keep in mind I'm trying to do the right thing here and build an application where people can logon AND I can send them a cookie to remember their user ID. What is the propery way to do this under J2EE/Struts? Apparently I'm not allowed to intercept calls to j_security_check so I should be doing something else? That's fine, lots of web sites do this, how should I be doing it? Thanks, Chris - Original Message - From: Craig R. McClanahan [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 6:16 PM Subject: Re: handling form based authentication w/ remember-me cookie Quoting [EMAIL PROTECTED]: Are Servlet filters supposed to be called for both GET and POST methods? They seem to be getting called for GETs only on Tomcat 5. -Chris For filters mapped to ordinary application URLs, the filter should indeed get mapped on both GET and POST methods. For filters you attempt to put on /j_security_check you are totally outside the bounds of the servlet specification, and the only thing you can assume is that the behavior is undefined. Personally, I consider it a bug that Tomcat 5 invokes filters on this, even if it's just on a GET. Craig McClanahan -Original Message- From: Parmar, Dipakkumar [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 03:57 PM To: 'Struts Users Mailing List' Subject: RE: handling form based authentication w/ remember-me cookie Hi Max, I haven't tested it either. I read it about this in IBM WebSphere V5.0 Security handbook (page 64). Regards, Dipak Parmar -Original Message- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 10:42 PM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: Re: handling form based authentication w/ remember-me cookie Dipak, Are you certain that the filter will be invoked on the /j_security_check request when container-based security is used? I have not tested this, but it would not surprise me to find that some containers do not execute filters on /j_security_check requests. I don't know if the Servlet Spec says anything about this case. Chris, Another alternative to the original problem of security with remember me functionality will be available soon. A patch has been submitted to my SecurityFilter project (http://www.securityfilter.org/) to support remember me functionality. The integration should be complete soon, and a beta release will be made available once the integration is complete. SecurityFilter works very much like container-managed security otherwise, including the configuration format (except that you declare the constraints in a separate config file rather than web.xml). -Max - Original Message - From: Parmar, Dipakkumar [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, January 12, 2004 7:43 AM Subject: RE: handling form based authentication w/ remember-me cookie Hi Chris, You can do this using Servlet Filter. What you need to do is write postLoginFilter that maps to the j_security_check url. In doFilter method, you can write your post login code after j_security_check done is work. Something like: public void doFilter(.) // let the j_security_check to do it's work chain.doFilter(request, response) // do you post login stuff here Regards, Dipak Parmar
Re: handling form based authentication w/ remember-me cookie
On Jan 14, 2004, at 3:52 AM, Nadeem Bitar wrote: A note about storing passwords in cookies. Encode the password. Do not store the userid with the password in the cookie, store some id associated with the user id. You can generate a one-way hash (MD5) of the contents of the cookie with a secret key only known to the server. This way when you get the cookie back you can compare it to make sure it wasn't altered. Many open source java projects store passwords in cookies insecurely so beware of that if you are going to use that as reference. I'm guilty of this - do you have code samples (or articles) of how to MD5-ify a String and get it's secret code? I've been struggling with this for quite some time - a full example (storing some id vs. userid) is even more desirable. Thanks, Matt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: handling form based authentication w/ remember-me cookie
Why not a have cookie field in the database table.. You generate a random string, put that as a cookie on the client. Now when you get that cookie back, check if one of your users have that value stored as a cookie. That's the user. Pretty simple and no exposing users ids or passwords. Pritpal Dhaliwal -Original Message- From: Matt Raible [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 14, 2004 5:28 AM To: Struts Users Mailing List Subject: Re: handling form based authentication w/ remember-me cookie On Jan 14, 2004, at 3:52 AM, Nadeem Bitar wrote: A note about storing passwords in cookies. Encode the password. Do not store the userid with the password in the cookie, store some id associated with the user id. You can generate a one-way hash (MD5) of the contents of the cookie with a secret key only known to the server. This way when you get the cookie back you can compare it to make sure it wasn't altered. Many open source java projects store passwords in cookies insecurely so beware of that if you are going to use that as reference. I'm guilty of this - do you have code samples (or articles) of how to MD5-ify a String and get it's secret code? I've been struggling with this for quite some time - a full example (storing some id vs. userid) is even more desirable. Thanks, Matt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
Quoting Matt Raible [EMAIL PROTECTED]: Remember Me functionality with j_security_check has worked fine for me. I just go to a LoginServlet from my loginForm, which sets cookies and redirects to j_security_check. Then I map a Filter to check for those cookies and logs the user in appropriately. More with code at: http://www.mail-archive.com/[EMAIL PROTECTED]/msg86636.html Complete code is available in my AppFuse application at: http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse HTH, Matt Filters are *not* required to be invoked on j_security_check invocations. In fact, Tomcat won't even enable the j_security_check url unless an unauthenticated user accesses a protected resource. Basically, I believe there is no guaranteed-to-be-portable way to implement remember me functionality on the server using container managed security. Craig On Jan 12, 2004, at 8:41 PM, Max Cooper wrote: Dipak, Are you certain that the filter will be invoked on the /j_security_check request when container-based security is used? I have not tested this, but it would not surprise me to find that some containers do not execute filters on /j_security_check requests. I don't know if the Servlet Spec says anything about this case. Chris, Another alternative to the original problem of security with remember me functionality will be available soon. A patch has been submitted to my SecurityFilter project (http://www.securityfilter.org/) to support remember me functionality. The integration should be complete soon, and a beta release will be made available once the integration is complete. SecurityFilter works very much like container-managed security otherwise, including the configuration format (except that you declare the constraints in a separate config file rather than web.xml). -Max - Original Message - From: Parmar, Dipakkumar [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, January 12, 2004 7:43 AM Subject: RE: handling form based authentication w/ remember-me cookie Hi Chris, You can do this using Servlet Filter. What you need to do is write postLoginFilter that maps to the j_security_check url. In doFilter method, you can write your post login code after j_security_check done is work. Something like: public void doFilter(.) // let the j_security_check to do it's work chain.doFilter(request, response) // do you post login stuff here Regards, Dipak Parmar -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 9:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says remember me so that I can send them a cookie. I'm not sure how to intercept the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
On Jan 13, 2004, at 12:42 AM, Craig R. McClanahan wrote: Filters are *not* required to be invoked on j_security_check invocations. In fact, Tomcat won't even enable the j_security_check url unless an unauthenticated user accesses a protected resource. Basically, I believe there is no guaranteed-to-be-portable way to implement remember me functionality on the server using container managed security. Craig The Filter I use is mapped to the location of the form-login-page. The solution I use does work on both Tomcat 4/5 and Resin, which is portable enough for me! I did have to add dispatcherFORWARD/dispatcher for Tomcat 5 and Resin, where the login page is displayed using a forward instead of a redirect. Matt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
Add 1 Nota Bene: objects in request scope are lost on a redirect, but remain in scope after a forward... -Martin - Original Message - From: Matt Raible [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 7:05 AM Subject: Re: handling form based authentication w/ remember-me cookie On Jan 13, 2004, at 12:42 AM, Craig R. McClanahan wrote: Filters are *not* required to be invoked on j_security_check invocations. In fact, Tomcat won't even enable the j_security_check url unless an unauthenticated user accesses a protected resource. Basically, I believe there is no guaranteed-to-be-portable way to implement remember me functionality on the server using container managed security. Craig The Filter I use is mapped to the location of the form-login-page. The solution I use does work on both Tomcat 4/5 and Resin, which is portable enough for me! I did have to add dispatcherFORWARD/dispatcher for Tomcat 5 and Resin, where the login page is displayed using a forward instead of a redirect. Matt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: handling form based authentication w/ remember-me cookie
Hi Max, I haven't tested it either. I read it about this in IBM WebSphere V5.0 Security handbook (page 64). Regards, Dipak Parmar -Original Message- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 10:42 PM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: Re: handling form based authentication w/ remember-me cookie Dipak, Are you certain that the filter will be invoked on the /j_security_check request when container-based security is used? I have not tested this, but it would not surprise me to find that some containers do not execute filters on /j_security_check requests. I don't know if the Servlet Spec says anything about this case. Chris, Another alternative to the original problem of security with remember me functionality will be available soon. A patch has been submitted to my SecurityFilter project (http://www.securityfilter.org/) to support remember me functionality. The integration should be complete soon, and a beta release will be made available once the integration is complete. SecurityFilter works very much like container-managed security otherwise, including the configuration format (except that you declare the constraints in a separate config file rather than web.xml). -Max - Original Message - From: Parmar, Dipakkumar [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, January 12, 2004 7:43 AM Subject: RE: handling form based authentication w/ remember-me cookie Hi Chris, You can do this using Servlet Filter. What you need to do is write postLoginFilter that maps to the j_security_check url. In doFilter method, you can write your post login code after j_security_check done is work. Something like: public void doFilter(.) // let the j_security_check to do it's work chain.doFilter(request, response) // do you post login stuff here Regards, Dipak Parmar -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 9:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says remember me so that I can send them a cookie. I'm not sure how to intercept the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
Are Servlet filters supposed to be called for both GET and POST methods? They seem to be getting called for GETs only on Tomcat 5. -Chris -Original Message- From: Parmar, Dipakkumar [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 03:57 PM To: 'Struts Users Mailing List' Subject: RE: handling form based authentication w/ remember-me cookie Hi Max, I haven't tested it either. I read it about this in IBM WebSphere V5.0 Security handbook (page 64). Regards, Dipak Parmar -Original Message- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 10:42 PM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: Re: handling form based authentication w/ remember-me cookie Dipak, Are you certain that the filter will be invoked on the /j_security_check request when container-based security is used? I have not tested this, but it would not surprise me to find that some containers do not execute filters on /j_security_check requests. I don't know if the Servlet Spec says anything about this case. Chris, Another alternative to the original problem of security with remember me functionality will be available soon. A patch has been submitted to my SecurityFilter project (http://www.securityfilter.org/) to support remember me functionality. The integration should be complete soon, and a beta release will be made available once the integration is complete. SecurityFilter works very much like container-managed security otherwise, including the configuration format (except that you declare the constraints in a separate config file rather than web.xml). -Max - Original Message - From: Parmar, Dipakkumar [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, January 12, 2004 7:43 AM Subject: RE: handling form based authentication w/ remember-me cookie Hi Chris, You can do this using Servlet Filter. What you need to do is write postLoginFilter that maps to the j_security_check url. In doFilter method, you can write your post login code after j_security_check done is work. Something like: public void doFilter(.) // let the j_security_check to do it's work chain.doFilter(request, response) // do you post login stuff here Regards, Dipak Parmar -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 9:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says remember me so that I can send them a cookie. I'm not sure how to intercept the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
Quoting [EMAIL PROTECTED]: Are Servlet filters supposed to be called for both GET and POST methods? They seem to be getting called for GETs only on Tomcat 5. -Chris For filters mapped to ordinary application URLs, the filter should indeed get mapped on both GET and POST methods. For filters you attempt to put on /j_security_check you are totally outside the bounds of the servlet specification, and the only thing you can assume is that the behavior is undefined. Personally, I consider it a bug that Tomcat 5 invokes filters on this, even if it's just on a GET. Craig McClanahan -Original Message- From: Parmar, Dipakkumar [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 03:57 PM To: 'Struts Users Mailing List' Subject: RE: handling form based authentication w/ remember-me cookie Hi Max, I haven't tested it either. I read it about this in IBM WebSphere V5.0 Security handbook (page 64). Regards, Dipak Parmar -Original Message- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 10:42 PM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: Re: handling form based authentication w/ remember-me cookie Dipak, Are you certain that the filter will be invoked on the /j_security_check request when container-based security is used? I have not tested this, but it would not surprise me to find that some containers do not execute filters on /j_security_check requests. I don't know if the Servlet Spec says anything about this case. Chris, Another alternative to the original problem of security with remember me functionality will be available soon. A patch has been submitted to my SecurityFilter project (http://www.securityfilter.org/) to support remember me functionality. The integration should be complete soon, and a beta release will be made available once the integration is complete. SecurityFilter works very much like container-managed security otherwise, including the configuration format (except that you declare the constraints in a separate config file rather than web.xml). -Max - Original Message - From: Parmar, Dipakkumar [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, January 12, 2004 7:43 AM Subject: RE: handling form based authentication w/ remember-me cookie Hi Chris, You can do this using Servlet Filter. What you need to do is write postLoginFilter that maps to the j_security_check url. In doFilter method, you can write your post login code after j_security_check done is work. Something like: public void doFilter(.) // let the j_security_check to do it's work chain.doFilter(request, response) // do you post login stuff here Regards, Dipak Parmar -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 9:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says remember me so that I can send them a cookie. I'm not sure how to intercept the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
It is a huge disappointment that the servlet 2.4 specification didn't address programmatic authentication. Dispatching requests to j_security_check is a pain in many use cases. I really hope that a future version of tomcat would address this even if this didn't make it into the spec this time. On 火, 2004-01-13 at 15:16, Craig R. McClanahan wrote: Quoting [EMAIL PROTECTED]: Are Servlet filters supposed to be called for both GET and POST methods? They seem to be getting called for GETs only on Tomcat 5. -Chris For filters mapped to ordinary application URLs, the filter should indeed get mapped on both GET and POST methods. For filters you attempt to put on /j_security_check you are totally outside the bounds of the servlet specification, and the only thing you can assume is that the behavior is undefined. Personally, I consider it a bug that Tomcat 5 invokes filters on this, even if it's just on a GET. Craig McClanahan -Original Message- From: Parmar, Dipakkumar [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 03:57 PM To: 'Struts Users Mailing List' Subject: RE: handling form based authentication w/ remember-me cookie Hi Max, I haven't tested it either. I read it about this in IBM WebSphere V5.0 Security handbook (page 64). Regards, Dipak Parmar -Original Message- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 10:42 PM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: Re: handling form based authentication w/ remember-me cookie Dipak, Are you certain that the filter will be invoked on the /j_security_check request when container-based security is used? I have not tested this, but it would not surprise me to find that some containers do not execute filters on /j_security_check requests. I don't know if the Servlet Spec says anything about this case. Chris, Another alternative to the original problem of security with remember me functionality will be available soon. A patch has been submitted to my SecurityFilter project (http://www.securityfilter.org/) to support remember me functionality. The integration should be complete soon, and a beta release will be made available once the integration is complete. SecurityFilter works very much like container-managed security otherwise, including the configuration format (except that you declare the constraints in a separate config file rather than web.xml). -Max - Original Message - From: Parmar, Dipakkumar [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, January 12, 2004 7:43 AM Subject: RE: handling form based authentication w/ remember-me cookie Hi Chris, You can do this using Servlet Filter. What you need to do is write postLoginFilter that maps to the j_security_check url. In doFilter method, you can write your post login code after j_security_check done is work. Something like: public void doFilter(.) // let the j_security_check to do it's work chain.doFilter(request, response) // do you post login stuff here Regards, Dipak Parmar -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 9:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says remember me so that I can send them a cookie. I'm not sure how to intercept the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
Craig, Ok fair enough. If the spec says it is undefined, that what is one to do? Keep in mind I'm trying to do the right thing here and build an application where people can logon AND I can send them a cookie to remember their user ID. What is the propery way to do this under J2EE/Struts? Apparently I'm not allowed to intercept calls to j_security_check so I should be doing something else? That's fine, lots of web sites do this, how should I be doing it? Thanks, Chris - Original Message - From: Craig R. McClanahan [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 6:16 PM Subject: Re: handling form based authentication w/ remember-me cookie Quoting [EMAIL PROTECTED]: Are Servlet filters supposed to be called for both GET and POST methods? They seem to be getting called for GETs only on Tomcat 5. -Chris For filters mapped to ordinary application URLs, the filter should indeed get mapped on both GET and POST methods. For filters you attempt to put on /j_security_check you are totally outside the bounds of the servlet specification, and the only thing you can assume is that the behavior is undefined. Personally, I consider it a bug that Tomcat 5 invokes filters on this, even if it's just on a GET. Craig McClanahan -Original Message- From: Parmar, Dipakkumar [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 03:57 PM To: 'Struts Users Mailing List' Subject: RE: handling form based authentication w/ remember-me cookie Hi Max, I haven't tested it either. I read it about this in IBM WebSphere V5.0 Security handbook (page 64). Regards, Dipak Parmar -Original Message- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 10:42 PM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: Re: handling form based authentication w/ remember-me cookie Dipak, Are you certain that the filter will be invoked on the /j_security_check request when container-based security is used? I have not tested this, but it would not surprise me to find that some containers do not execute filters on /j_security_check requests. I don't know if the Servlet Spec says anything about this case. Chris, Another alternative to the original problem of security with remember me functionality will be available soon. A patch has been submitted to my SecurityFilter project (http://www.securityfilter.org/) to support remember me functionality. The integration should be complete soon, and a beta release will be made available once the integration is complete. SecurityFilter works very much like container-managed security otherwise, including the configuration format (except that you declare the constraints in a separate config file rather than web.xml). -Max - Original Message - From: Parmar, Dipakkumar [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, January 12, 2004 7:43 AM Subject: RE: handling form based authentication w/ remember-me cookie Hi Chris, You can do this using Servlet Filter. What you need to do is write postLoginFilter that maps to the j_security_check url. In doFilter method, you can write your post login code after j_security_check done is work. Something like: public void doFilter(.) // let the j_security_check to do it's work chain.doFilter(request, response) // do you post login stuff here Regards, Dipak Parmar -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 9:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says remember me so that I can send them a cookie. I'm not sure how to intercept the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail
Re: handling form based authentication w/ remember-me cookie
They should be getting called for both - since they both are a request. You might try adding the dispatcher element to trap forwards as well. This is a Servlet 2.4 feature. filter-mapping filter-nameloginFilter/filter-name url-pattern/security/*/url-pattern !-- These are needed by Tomcat 5 since it does a forward to login.jsp -- dispatcherREQUEST/dispatcher dispatcherFORWARD/dispatcher /filter-mapping On Jan 13, 2004, at 12:19 PM, [EMAIL PROTECTED] wrote: Are Servlet filters supposed to be called for both GET and POST methods? They seem to be getting called for GETs only on Tomcat 5. -Chris -Original Message- From: Parmar, Dipakkumar [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 03:57 PM To: 'Struts Users Mailing List' Subject: RE: handling form based authentication w/ remember-me cookie Hi Max, I haven't tested it either. I read it about this in IBM WebSphere V5.0 Security handbook (page 64). Regards, Dipak Parmar -Original Message- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 10:42 PM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: Re: handling form based authentication w/ remember-me cookie Dipak, Are you certain that the filter will be invoked on the /j_security_check request when container-based security is used? I have not tested this, but it would not surprise me to find that some containers do not execute filters on /j_security_check requests. I don't know if the Servlet Spec says anything about this case. Chris, Another alternative to the original problem of security with remember me functionality will be available soon. A patch has been submitted to my SecurityFilter project (http://www.securityfilter.org/) to support remember me functionality. The integration should be complete soon, and a beta release will be made available once the integration is complete. SecurityFilter works very much like container-managed security otherwise, including the configuration format (except that you declare the constraints in a separate config file rather than web.xml). -Max - Original Message - From: Parmar, Dipakkumar [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, January 12, 2004 7:43 AM Subject: RE: handling form based authentication w/ remember-me cookie Hi Chris, You can do this using Servlet Filter. What you need to do is write postLoginFilter that maps to the j_security_check url. In doFilter method, you can write your post login code after j_security_check done is work. Something like: public void doFilter(.) // let the j_security_check to do it's work chain.doFilter(request, response) // do you post login stuff here Regards, Dipak Parmar -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 9:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says remember me so that I can send them a cookie. I'm not sure how to intercept the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
handling form based authentication w/ remember-me cookie
I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says remember me so that I can send them a cookie. I'm not sure how to intercept the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks
RE: handling form based authentication w/ remember-me cookie
Hi Chris, You can do this using Servlet Filter. What you need to do is write postLoginFilter that maps to the j_security_check url. In doFilter method, you can write your post login code after j_security_check done is work. Something like: public void doFilter(.) // let the j_security_check to do it's work chain.doFilter(request, response) // do you post login stuff here Regards, Dipak Parmar -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 9:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says remember me so that I can send them a cookie. I'm not sure how to intercept the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: handling form based authentication w/ remember-me cookie
I believe this is the easiest way Have the form login go to your own custom action. Have your action forward to the j_security_check, passing the correct request parameters. Set the foward you setup that points to j_security_check to do a redirect=true. Rick Hightower Developer Struts/J2EE training -- http://www.arc-mind.com/strutsCourse.htm Struts/J2EE consulting -- http://www.arc-mind.com/consulting.htm#StrutsMentoring -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 7:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says remember me so that I can send them a cookie. I'm not sure how to intercept the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: handling form based authentication w/ remember-me cookie
I believe this is the easiest way Have the form login go to your own custom action. Have your action forward to the j_security_check, passing the correct request parameters. Set the foward you setup that points to j_security_check to do a redirect=true. Rick Hightower Developer Struts/J2EE training -- http://www.arc-mind.com/strutsCourse.htm Struts/J2EE consulting -- http://www.arc-mind.com/consulting.htm#StrutsMentoring -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 7:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says remember me so that I can send them a cookie. I'm not sure how to intercept the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
Dipak, Are you certain that the filter will be invoked on the /j_security_check request when container-based security is used? I have not tested this, but it would not surprise me to find that some containers do not execute filters on /j_security_check requests. I don't know if the Servlet Spec says anything about this case. Chris, Another alternative to the original problem of security with remember me functionality will be available soon. A patch has been submitted to my SecurityFilter project (http://www.securityfilter.org/) to support remember me functionality. The integration should be complete soon, and a beta release will be made available once the integration is complete. SecurityFilter works very much like container-managed security otherwise, including the configuration format (except that you declare the constraints in a separate config file rather than web.xml). -Max - Original Message - From: Parmar, Dipakkumar [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, January 12, 2004 7:43 AM Subject: RE: handling form based authentication w/ remember-me cookie Hi Chris, You can do this using Servlet Filter. What you need to do is write postLoginFilter that maps to the j_security_check url. In doFilter method, you can write your post login code after j_security_check done is work. Something like: public void doFilter(.) // let the j_security_check to do it's work chain.doFilter(request, response) // do you post login stuff here Regards, Dipak Parmar -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 9:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says remember me so that I can send them a cookie. I'm not sure how to intercept the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: handling form based authentication w/ remember-me cookie
Remember Me functionality with j_security_check has worked fine for me. I just go to a LoginServlet from my loginForm, which sets cookies and redirects to j_security_check. Then I map a Filter to check for those cookies and logs the user in appropriately. More with code at: http://www.mail-archive.com/[EMAIL PROTECTED]/msg86636.html Complete code is available in my AppFuse application at: http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuse HTH, Matt On Jan 12, 2004, at 8:41 PM, Max Cooper wrote: Dipak, Are you certain that the filter will be invoked on the /j_security_check request when container-based security is used? I have not tested this, but it would not surprise me to find that some containers do not execute filters on /j_security_check requests. I don't know if the Servlet Spec says anything about this case. Chris, Another alternative to the original problem of security with remember me functionality will be available soon. A patch has been submitted to my SecurityFilter project (http://www.securityfilter.org/) to support remember me functionality. The integration should be complete soon, and a beta release will be made available once the integration is complete. SecurityFilter works very much like container-managed security otherwise, including the configuration format (except that you declare the constraints in a separate config file rather than web.xml). -Max - Original Message - From: Parmar, Dipakkumar [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Monday, January 12, 2004 7:43 AM Subject: RE: handling form based authentication w/ remember-me cookie Hi Chris, You can do this using Servlet Filter. What you need to do is write postLoginFilter that maps to the j_security_check url. In doFilter method, you can write your post login code after j_security_check done is work. Something like: public void doFilter(.) // let the j_security_check to do it's work chain.doFilter(request, response) // do you post login stuff here Regards, Dipak Parmar -Original Message- From: Chris Ruegger [mailto:[EMAIL PROTECTED] Sent: Monday, January 12, 2004 9:53 AM To: Struts Users Mailing List Subject: handling form based authentication w/ remember-me cookie I am using Struts and building a logon page to do Form-based authentication under Tomcat. I want to also have a checkbox for the user to check that says remember me so that I can send them a cookie. I'm not sure how to intercept the form values because I have to post to j_security_check. How can I get the check-box value, set up the cookie, and send them to j_security_check with struts? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Realm authentication password change
On 11/17/2003 12:43 PM Grassi Fabio wrote: I'm using Tomcat User Database Realm authentication with a Struts application. It all works fine *but* I would like to give my users the ability to change their password. The problem is that once the password is changed in my RDBMS, Tomcat keeps the old password in memory until restarted. So the unlucky user who has changed the password gets prevented from logging in again. Hi Fabio, I don't think that is quite correct. As far as the docs go, the info is kept for the duration of the session. So you have to invalidate the user's session and force them to log in again. Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] Security Filter - Active Authentication (Better)
I wrote an implementation of the Active Authentication idea introduced in Java Developers Journal. I like it much better than Security Filter. It allows me to use the TRUE container's standard authentication. Also, I get ALL the features that SecurityFilter provides and ALL the features of container based security. If you would like the code, I would be happy to share it. Also, I'd be happy to upload it to the struts sourceforge site. It is definetly something other people can use and is not specific to my apps. It is only specific to Struts. But, writing implementations for other Web MVC (Model 2) frameworks would be a snap. Brandon Goodin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] Security Filter - Active Authentication (Better)
Hi Brandon, I would be very interested in your implementation. If you don't have it up somewhere already and you don't mind, can you send it to me? thanks, Hubert --- Brandon Goodin [EMAIL PROTECTED] wrote: I wrote an implementation of the Active Authentication idea introduced in Java Developers Journal. I like it much better than Security Filter. It allows me to use the TRUE container's standard authentication. Also, I get ALL the features that SecurityFilter provides and ALL the features of container based security. If you would like the code, I would be happy to share it. Also, I'd be happy to upload it to the struts sourceforge site. It is definetly something other people can use and is not specific to my apps. It is only specific to Struts. But, writing implementations for other Web MVC (Model 2) frameworks would be a snap. Brandon Goodin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] Security Filter - Active Authentication (Better)
I'm putting it together. If a committer on the Struts sf.net project wants to give me permissions to create a cvs project for this... I'd be happy to. Also, it would be nice to receive back contributions on how to make this better. I'll send a zip to anyone who wants it. Brandon Goodin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] Security Filter - Active Authentication (Better)
I'm an idiot... I already have CVS access to the sf.net project. Hehe... I'll committ it there. But, I warn you... what I am putting in the CVS is not a full functioning web example... I'll add that later. But, for now it's just code that needs to be organized better. But, it does give you an idea of what is going on with Active Authentication. I'll try to get a working app up tonight. Brandon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] Security Filter - Active Authentication (Better)
okay... I didn't want to commit it to the Struts sf.net cvs until I had it working as a functioning example web app. So, I have my rudimentary conglomeration of files at: http://www.phase.ws/security/security.zip Look for a working example over the next few days on the sourceforge struts project cvs. Thanks, Brandon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: User Authentication implemented in Struts
If you made roles for each region, you could use them in that way too, however I think that would be too cumbersome. A servlet filter is also a possibility, but also not optimal I think. I would make the implementation depend on the data model rather than the authorisation scheme. For instance in your data model, you can have sales associated with different regions. You can also have users associated with different regions. Therefore it will not be difficult to write SQL queries for your reports where the sales displayed are selected by user. e.g. a junior salesman has an association with one region, but a sales manager would have links to several regions. The finance people would have links to all regions. Hope that's clear, Adam On 10/23/2003 04:05 AM Caroline Jen wrote: My question is similar. I use container-managed role-based security checking. I put role property in Action Mapping and use isUserInRole in my JSPs. For example, John can view the sales reports if he has the sales role. Now, I want to further restrict John to view the sales reports in is region only. People say that I can use the servlet filter. I need guidance to see some examples. --- Adam Hardy [EMAIL PROTECTED] wrote: On 10/22/2003 10:21 PM Ramadoss Chinnakuzhandai wrote: apologize for repeating my question againI'm newbie to Struts and hv basic doubt in security level implemented using Struts framework. we are aware that in normal J2EE application we are authenticating user based on user access level specified in web-app in web.xml(web container) My Questions are 1.Are we following the same process of authenticating a user against his/her access level as that of the above...? if not pls explain how you are authentication a user in your struts-based application. 2.If yes to the above question Is there someother way of authenticating a user available in Sturts? If so pls explain how you are authentication a user? Yes to both: struts leverages the built-in container managed security as specified by the servlet spec from Sun. -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
To the Person Asked About Form-Based Container-Managed (JDBCRealm) Authentication Question
Hi, I saw your message asking me about the form-based container-managed authentication in Struts. I accidentally deleted your message and could not find your name and e-mail address. The following steps are what should be done: 1. configure the JDBCRealm in the Tomcat server.xml, see http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html 2. container-managed, form-based authentication is completely handled by the server. That is to say, it is none of Struts business. Prepare your logon.jsp and error.jsp (do not use Struts tags). There is nothing wrong with your j_security_check, ..., etc. 3. in your web.xml, you have login-config auth-methodFORM/auth-method form-login-config form-login-page/signin/logon.jsp/form-login-page form-error-page/signin/error.jsp/form-error-page /form-login-config /login-config 4. Do not change your action forward in the struts-config.xml file (i.e. do not forward anything to logon.jsp because it has nothing to do with Struts) except add redirect=true. For example: forward name=logon redirect=true path=/do/admin/Menu/ Craig McClanahan wrote a detailed explanation on how it works (I am quoting what Craig said below): form-based login is triggered the first time that an unauthenticated user requests a URL that is protected by a security constraint. (1) Unauthenticated user requests a protected resource (*NOT* the login page!) (2) Container remembers the protected resource that was requested in a private variable. (3) Container displays the login page, which must have a destination of j_security_check, and waits for the user submit. For some containers, including Tomcat, this is the one-and-only time that submitting to j_security_check will not return a 404. (4) User enters username and password, and presses the submit button. (5) the post to j_security_check is intercepted by your servlet container, which performs Container Managed Authentication - it looks for the j_username and j_password, authenticates the combination, and forwards to the originally requested resource, or to a configurable error page if the authentication (6) Container authenticates the username (j_username) and password (j_password) combination. If valid, container recalls the originally requested resource saved in (2) and displays *that* to the user in response to the login submit. Or forwards to a configurable error page if the authentication fails. The important point is that, at no time, did anyone ever submit a request to the URL of the login page, because there is no such thing. Also think of the login page as part of the container, not part of your app. Let me know if you have further questions. -Caroline __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
User Authentication implemented in Struts
apologize for repeating my question againI'm newbie to Struts and hv basic doubt in security level implemented using Struts framework. we are aware that in normal J2EE application we are authenticating user based on user access level specified in web-app in web.xml(web container) My Questions are 1.Are we following the same process of authenticating a user against his/her access level as that of the above...? if not pls explain how you are authentication a user in your struts-based application. 2.If yes to the above question Is there someother way of authenticating a user available in Sturts? If so pls explain how you are authentication a user? tnx in advance. Regards, -Ram - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: User Authentication implemented in Struts
On 10/22/2003 10:21 PM Ramadoss Chinnakuzhandai wrote: apologize for repeating my question againI'm newbie to Struts and hv basic doubt in security level implemented using Struts framework. we are aware that in normal J2EE application we are authenticating user based on user access level specified in web-app in web.xml(web container) My Questions are 1.Are we following the same process of authenticating a user against his/her access level as that of the above...? if not pls explain how you are authentication a user in your struts-based application. 2.If yes to the above question Is there someother way of authenticating a user available in Sturts? If so pls explain how you are authentication a user? Yes to both: struts leverages the built-in container managed security as specified by the servlet spec from Sun. Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: User Authentication implemented in Struts
My question is similar. I use container-managed role-based security checking. I put role property in Action Mapping and use isUserInRole in my JSPs. For example, John can view the sales reports if he has the sales role. Now, I want to further restrict John to view the sales reports in is region only. People say that I can use the servlet filter. I need guidance to see some examples. --- Adam Hardy [EMAIL PROTECTED] wrote: On 10/22/2003 10:21 PM Ramadoss Chinnakuzhandai wrote: apologize for repeating my question againI'm newbie to Struts and hv basic doubt in security level implemented using Struts framework. we are aware that in normal J2EE application we are authenticating user based on user access level specified in web-app in web.xml(web container) My Questions are 1.Are we following the same process of authenticating a user against his/her access level as that of the above...? if not pls explain how you are authentication a user in your struts-based application. 2.If yes to the above question Is there someother way of authenticating a user available in Sturts? If so pls explain how you are authentication a user? Yes to both: struts leverages the built-in container managed security as specified by the servlet spec from Sun. Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
User authentication and Intranet single sign on
Dear all, For our Struts application we are looking for a single sign on solution. (Sign on in the network, NOT single-sign on in Tomcat) With much interest I followed the thread about user-authentication by Caroline Jen, Gregg and finally the examples of Matt Raible. I tried the code and it works. We use FORM based authentication now and this is a good alternative when testing authorization in our web application for user with different authorization. We are using Tomcat (Jakarta-Tomcat 4.1.27 with hotfix 22096). and defined a realm to our user, user roles database. For the production environment we are looking for the following: Users login into the network with their own username and password. I am looking for a way to grab this username and authenticate this user under water in Tomcat or using some other means, e.g. a filter, using the realm user/userroles-database The result should be that the user only gets a login denied screen when he is not authorized. What is the easiest way to do this? Another approach: We tried to use jcifs, but then the FORM based authentication of the container does not work. When using jcifs, the request.isUserInRole() does not work. Does someone has example code to solve this? Hope you can help. Kind regards, Robert Lamping - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts and user-authentication
Anyone? On Mon, 06 Oct 2003 17:36:24 +0200, Ilja [EMAIL PROTECTED] said: Thanks! Very helpfull, but still some questions: How can you programmaticly make use of struts-config.xml? Now the loginpage is hardcoded: String loginPage = request.getContextPath()+/logon.do; Can't you make it more generic so that it uses the config-file to look it up? Secondly: How can you display userinformation in a jsp-page when you have your own authentication-system? I probably have to write my own taglibs right? Ilja On Mon, 6 Oct 2003 18:10:56 +0530, Deepak [EMAIL PROTECTED] said: Try this : http://www.theserverside.com/resources/article.jsp?l=JAAS - Original Message - From: Ilja [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 06, 2003 6:00 PM Subject: Struts and user-authentication Is there any good example on how to incorporate strict user-authentication with Struts? Currently I'm working on a way to implement user-authentication with OSUser (www.opensymphony.com/osuser) and hibernate (www.hibernate.org) What's the best way to implement user-security? Where should the authentication method be put in? In every action? Is it possible to create one generic class that authorizes a user and sends it to the appropiate page (either the page he requested, an error or a login-page) without coding it on every single action page? Thanks, Ilja - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts and user-authentication
Use a global-forward. Example: struts-config.xml: global-forwards forward name=track path=/do/track redirect=true/ forward name=login path=/do/login redirect=true/ forward name=logout path=/do/logout redirect=true/ /global-forwards index.jsp (which is my welcome file): %@ page language=java % %@ taglib uri=/WEB-INF/struts-logic.tld prefix=logic % html body logic:present name=contactCookie scope=session logic:forward name=track/ /logic:present logic:notPresent name=contactCookie scope=session logic:forward name=login/ /logic:notPresent /body /html -Original Message- From: Ilja [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 08, 2003 13:13 To: [EMAIL PROTECTED] Subject: Re: Struts and user-authentication Anyone? On Mon, 06 Oct 2003 17:36:24 +0200, Ilja [EMAIL PROTECTED] said: Thanks! Very helpfull, but still some questions: How can you programmaticly make use of struts-config.xml? Now the loginpage is hardcoded: String loginPage = request.getContextPath()+/logon.do; Can't you make it more generic so that it uses the config-file to look it up? Secondly: How can you display userinformation in a jsp-page when you have your own authentication-system? I probably have to write my own taglibs right? Ilja On Mon, 6 Oct 2003 18:10:56 +0530, Deepak [EMAIL PROTECTED] said: Try this : http://www.theserverside.com/resources/article.jsp?l=JAAS - Original Message - From: Ilja [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 06, 2003 6:00 PM Subject: Struts and user-authentication Is there any good example on how to incorporate strict user-authentication with Struts? Currently I'm working on a way to implement user-authentication with OSUser (www.opensymphony.com/osuser) and hibernate (www.hibernate.org) What's the best way to implement user-security? Where should the authentication method be put in? In every action? Is it possible to create one generic class that authorizes a user and sends it to the appropiate page (either the page he requested, an error or a login-page) without coding it on every single action page? Thanks, Ilja - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts and user-authentication
For the second you can add a bean to the session object with user information after successful login and access it in each page -Mensaje original- De: Ilja [mailto:[EMAIL PROTECTED] Enviado el: miércoles, 08 de octubre de 2003 19:13 Para: [EMAIL PROTECTED] Asunto: Re: Struts and user-authentication Anyone? On Mon, 06 Oct 2003 17:36:24 +0200, Ilja [EMAIL PROTECTED] said: Thanks! Very helpfull, but still some questions: How can you programmaticly make use of struts-config.xml? Now the loginpage is hardcoded: String loginPage = request.getContextPath()+/logon.do; Can't you make it more generic so that it uses the config-file to look it up? Secondly: How can you display userinformation in a jsp-page when you have your own authentication-system? I probably have to write my own taglibs right? Ilja On Mon, 6 Oct 2003 18:10:56 +0530, Deepak [EMAIL PROTECTED] said: Try this : http://www.theserverside.com/resources/article.jsp?l=JAAS - Original Message - From: Ilja [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 06, 2003 6:00 PM Subject: Struts and user-authentication Is there any good example on how to incorporate strict user-authentication with Struts? Currently I'm working on a way to implement user-authentication with OSUser (www.opensymphony.com/osuser) and hibernate (www.hibernate.org) What's the best way to implement user-security? Where should the authentication method be put in? In every action? Is it possible to create one generic class that authorizes a user and sends it to the appropiate page (either the page he requested, an error or a login-page) without coding it on every single action page? Thanks, Ilja -- --- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Struts and user-authentication
You can also use a filter and/or container-based authentication if you have a compliant container. I would say that's the best method. Carlos Sánchez [EMAIL PROTECTED] 10/08/2003 04:31 PM Please respond to Struts Users Mailing List To: 'Struts Users Mailing List' [EMAIL PROTECTED] cc: Subject:RE: Struts and user-authentication For the second you can add a bean to the session object with user information after successful login and access it in each page -Mensaje original- De: Ilja [mailto:[EMAIL PROTECTED] Enviado el: miércoles, 08 de octubre de 2003 19:13 Para: [EMAIL PROTECTED] Asunto: Re: Struts and user-authentication Anyone? On Mon, 06 Oct 2003 17:36:24 +0200, Ilja [EMAIL PROTECTED] said: Thanks! Very helpfull, but still some questions: How can you programmaticly make use of struts-config.xml? Now the loginpage is hardcoded: String loginPage = request.getContextPath()+/logon.do; Can't you make it more generic so that it uses the config-file to look it up? Secondly: How can you display userinformation in a jsp-page when you have your own authentication-system? I probably have to write my own taglibs right? Ilja On Mon, 6 Oct 2003 18:10:56 +0530, Deepak [EMAIL PROTECTED] said: Try this : http://www.theserverside.com/resources/article.jsp?l=JAAS - Original Message - From: Ilja [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 06, 2003 6:00 PM Subject: Struts and user-authentication Is there any good example on how to incorporate strict user-authentication with Struts? Currently I'm working on a way to implement user-authentication with OSUser (www.opensymphony.com/osuser) and hibernate (www.hibernate.org) What's the best way to implement user-security? Where should the authentication method be put in? In every action? Is it possible to create one generic class that authorizes a user and sends it to the appropiate page (either the page he requested, an error or a login-page) without coding it on every single action page? Thanks, Ilja -- --- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] = = = = = = = = = == = = = = = == = = = = = = = == = = = = = == = = = = This transmittal and any attachments may contain confidential, privileged or sensitive information and is solely for the use of the intended recipient. If you are not intended recipient, you are hereby notified that you have received this transmittal and any such attachments in error and any review, dissemination, distribution or copying thereof is strictly prohibited. If you have received this transmittal and any attachments in error please notify the sender and immediately destroy the message and all its attachments. Any opinions herein expressed may be those of the author and not necessarily of Mizuho Corporate Bank, Ltd (the Bank). The Bank accepts no responsibility for the accuracy or completeness of any information herein contained. = = = = = = = = = == = = = = = == = = = = = = = == = = = = = == = = = =
RE: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
you may wish to look upon JAAS if you have so many diff roles and user per roles. Anyway, struts lets you specify role atrribute (that takes comma sep values, i guess) for each action. If you can extend RequestProcess class and modify the processRoles() method so you can redirect to any page if the roles are not valid for that action. etc etc.. Struts,using decalrative roles, tried to make things easier in term sof less programming efforts and easiness to manage roles . Rest i can't see much diff. Any opinions? HTH Navjot Singh -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 07, 2003 7:26 AM To: Struts Users Mailing List Subject: RE: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
Caroline Jen wrote: But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. How authentication is performed (BASIC, form-based, DIGEST, or SSL client certificates) and how users are stored (database, directory server, local XML file, ...) are two separate questions. For most servers , any combination is possible. With Tomcat, for example, you can configure JDBCRealm to point at your user and role definitions in a database, and then use those users with any of the authentication methods. For more information, see: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html The choice between BASIC and form-based authentication, then, can be based on user interface related concerns, rather than worrying about a database. Craig --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
People answer questions without reading my original post. Therefore, I must re-type my original question again. Before I posted my question, I had configured the Tomcat JDBCRealm following the instructions at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html so that I can do security testing programmically, such as isUserInRole(), in my program. If I use form based authentication, I insert the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication (we provide login page and error page in the web.xml) does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? Thanks. --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. How authentication is performed (BASIC, form-based, DIGEST, or SSL client certificates) and how users are stored (database, directory server, local XML file, ...) are two separate questions. For most servers , any combination is possible. With Tomcat, for example, you can configure JDBCRealm to point at your user and role definitions in a database, and then use those users with any of the authentication methods. For more information, see: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html The choice between BASIC and form-based authentication, then, can be based on user interface related concerns, rather than worrying about a database. Craig --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e
RE: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
Don't put anything in struts-config, in web.xml, put:
login-config
auth-methodFORM/auth-method
form-login-config
form-login-page/login.jsp/form-login-page
form-error-page/login.jsp?error=true/form-error-page
/form-login-config
/login-config
You can use whatever code you like in login.jsp, here's mine as an example:
%@ include file=/common/taglibs.jsp%
tiles:insert definition=.login flush=true/
So you can see it uses Tiles - here's my .login definition:
!-- Login Page definition --
definition name=.login extends=baseLayout
put name=titleKey value=login.title/
put name=headingKey value=login.heading/
put name=menu value=/menu.html/
put name=content value=/WEB-INF/pages/login.jsp/
/definition
Where /pages/login.jsp is:
%@ include file=/common/taglibs.jsp%
div id=loginTable
form method=post id=loginForm action=j_security_check
table width=100%
tr
td colspan=2
c:if test=${param.error != null}
div class=error
style=margin-right: 0; margin-bottom: 3px; margin-top:
3px
html:img pageKey=icon.warning.img
altKey=icon.warning styleClass=icon/
fmt:message key=errors.password.mismatch/
/div
/c:if
/td
/tr
tr
th
label for=j_username class=required
fmt:message key=label.username/*:
/label
/th
td
input type=text name=j_username id=j_username size=25
/
/td
/tr
tr
th
label for=j_password class=required
fmt:message key=label.password/*:
/label
/th
td
input type=password name=j_password id=j_password
size=20 /
/td
/tr
tr
td/td
td
input type=checkbox name=rememberMe id=rememberMe /
label for=rememberMefmt:message
key=login.rememberMe//a
!-- for Resin --
input type=hidden name=j_uri id=j_uri value= /
/td
/tr
tr
td/td
td
input type=submit name=login id=login value=Login /
input type=reset name=reset id=reset value=Reset
onclick=document.getElementById('j_username').focus() /
/td
/tr
tr
td/td
tdbr /fmt:message key=login.signup//td
/tr
/table
/form
/div
HTH,
Matt
-Original Message-
From: Caroline Jen [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 07, 2003 2:11 PM
To: Struts Users Mailing List
Subject: Re: Container-Managed Authentication login-config in web.xml
vs . Specifying Paths in the struts-config.xml
People answer questions without reading my original
post. Therefore, I must re-type my original question
again.
Before I posted my question, I had configured the
Tomcat JDBCRealm following the instructions at
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
so that I can do security testing programmically, such
as isUserInRole(), in my program.
If I use form based authentication, I insert the
login-config and its sub-elements in my web.xml file
(see below). As we know, the form-login-page and
form-error-page are required.
My question is that the container-managed
authentication (we provide login page and error page
in the web.xml) does not seem to be consistent with
what we usually do in struts; e.g. we state the
logical name and path for each .jsp page in the
struts-config.xml file.
What is the Struts convention in dealing with user
authentication? Should we specify the paths for the
logon page and error page in the struts.config.xml or
we should use the form-login-page and
form-error-page in the web.xml file?
Thanks.
--- Craig R. McClanahan [EMAIL PROTECTED] wrote:
Caroline Jen wrote:
But, I do not want to use BASIC authentication. I
have many different roles and hundreds of people
per
role. Users' name, role, etc. are stored in a
database.
How authentication is performed (BASIC, form-based,
DIGEST, or SSL
client certificates) and how users are stored
(database, directory
server, local XML file, ...) are two separate
questions. For most
servers , any combination is possible. With Tomcat,
for example, you
can configure JDBCRealm to point at your user and
role definitions in a
database, and then use those users with any of the
authentication
methods. For more information, see:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
The choice between BASIC and form-based
authentication, then, can be
based on user interface related concerns, rather
than worrying about a
database.
Craig
--- Matt Raible [EMAIL PROTECTED] wrote:
A JDBCRealm can use BASIC authentication - it
doesn't require form-based.
Here's an example app that might help you out:
http
Re: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
Logical paths work fine for me in web.xml (using tomcat 4.1.x): login-config auth-methodFORM/auth-method form-login-config form-login-page /do/login/edit /form-login-page form-error-page /do/login/fail /form-error-page /form-login-config /login-config Andrew At 03:11 PM 10/7/2003, you wrote: People answer questions without reading my original post. Therefore, I must re-type my original question again. Before I posted my question, I had configured the Tomcat JDBCRealm following the instructions at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html so that I can do security testing programmically, such as isUserInRole(), in my program. If I use form based authentication, I insert the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication (we provide login page and error page in the web.xml) does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? Thanks. --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. How authentication is performed (BASIC, form-based, DIGEST, or SSL client certificates) and how users are stored (database, directory server, local XML file, ...) are two separate questions. For most servers , any combination is possible. With Tomcat, for example, you can configure JDBCRealm to point at your user and role definitions in a database, and then use those users with any of the authentication methods. For more information, see: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html The choice between BASIC and form-based authentication, then, can be based on user interface related concerns, rather than worrying about a database. Craig --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
Thanks a lot, Andrew. I got the idea. --- Andrew Shirk [EMAIL PROTECTED] wrote: Logical paths work fine for me in web.xml (using tomcat 4.1.x): login-config auth-methodFORM/auth-method form-login-config form-login-page /do/login/edit /form-login-page form-error-page /do/login/fail /form-error-page /form-login-config /login-config Andrew At 03:11 PM 10/7/2003, you wrote: People answer questions without reading my original post. Therefore, I must re-type my original question again. Before I posted my question, I had configured the Tomcat JDBCRealm following the instructions at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html so that I can do security testing programmically, such as isUserInRole(), in my program. If I use form based authentication, I insert the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication (we provide login page and error page in the web.xml) does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? Thanks. --- Craig R. McClanahan [EMAIL PROTECTED] wrote: Caroline Jen wrote: But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. How authentication is performed (BASIC, form-based, DIGEST, or SSL client certificates) and how users are stored (database, directory server, local XML file, ...) are two separate questions. For most servers , any combination is possible. With Tomcat, for example, you can configure JDBCRealm to point at your user and role definitions in a database, and then use those users with any of the authentication methods. For more information, see: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html The choice between BASIC and form-based authentication, then, can be based on user interface related concerns, rather than worrying about a database. Craig --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page === message truncated === __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL
re: authentication
Anyone knows a good way to implement AUTHORIZATION with Struts. cheers, F. Questo messaggio di posta elettronica contiene informazioni di carattere confidenziale rivolte esclusivamente al destinatario sopra indicato. E' vietato l'uso, la diffusione, distribuzione o riproduzione da parte di ogni altra persona. Nel caso aveste ricevuto questo messaggio di posta elettronica per errore, siete pregati di segnalarlo immediatamente al mittente e distruggere quanto ricevuto (compresi i file allegati) senza farne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio costituisce violazione dell'obbligo di non prendere cognizione della corrispondenza tra altri soggetti, salvo più grave illecito, ed espone il responsabile alle relative conseguenze. Confidentially notice. This e-mail transmission may contain legally privileged and/or confidential information. Please do not read it if you are not the intended recipient(S). Any use, distribution, reproduction or disclosure by any other person is strictly prohibited. If you have received this e-mail in error, please notify the sender and destroy the original transmission and its attachments without reading or saving it in any manner.
Re: authentication
Use container-managed security, or this filter-based clone, for which I am the project leader: http://securityfilter.sourceforge.net/. The Servlet spec contains the information needed to get started with container-managed security. Your app server documentation will have information about how to configure realms. It may seem complicated at first, but it is much easier than writing your own system. If you organize your action paths by what role they require, you can just use security-constraints and url-patterns to protect everything: /admin/* limited to users with the 'admin' role /order/* limited to users with the 'customer', 'sales', or 'admin' roles ... etc. If that is the case, that is all you need to do. Or you can protect everything with a security-constraint and / url-pattern. Then add a set of roles that will cover your entire user base. For instance, if every user has the 'admin' role OR the 'customer' role OR the 'sales' role, just add that set of roles to the security-constraint so everyone can get to everything after they login. The reason to protect everything like this is so that the container will authenticate users automatically when they make a request for any of these resources. You will add the real protection for individual actions (using roles) in struts-config.xml later. NOTE: You may also need to un-protect url-patterns like /images/* so that the images will display properly on your login form. You can do that by creating a security-constraint with the /images/* (and /styles/*, etc. -- whatever should be publicly accessible) url-pattern and don't assign any roles to it. Now that you have the container doing the authentication for your whole app, you will want to limit which users can execute a given action by assigning a role (or roles) to each action in Struts. You can do that by specifying a roles attribute in an action-mapping: action-mappingsactionpath=/editOrder type=my.package.EditOrderActionname=orderForm scope=requestinput=/editOrder.jsp roles=admin,sales//action-mappingsThe roles=admin,sales attribute here means that users with either the 'admin' or 'sales' role (or both) will be allowed to execute this action. See my posts in the recent Verifying integrity of URLs thread for some ideas on how to do programmatic security when the roles are not specific enough to decide if a user should be able to execute the action or not (e.g. a customer can only see their orders, but not orders for other users). That is a basic overview of how to do Struts security with container-managed security (or a filter-based clone of container-managed security like SecurityFilter). I am a big proponent of using as much standard security stuff as you can (container-managed, or a filter that is a clone of it) because it is easier to implement, generally more secure, generally works better (automatic, just-in-time authentication), and gets along better with other things (like the Struts roles= attribute) than writing your own. Everyone should learn how the container-managed security stuff works before making the decision of what to use for their app. At the very least, there are some useful patterns and behaviors in the standard that will help in writing your own system. Sometimes it still makes to write your own security, but I think we as developers have a tendency to skip over container-managed security before investigating how it could work for us and go right into writing our own stuff. Most of the time, it would be a lot less work and our apps would work a lot better if we just took the time to learn the standard. I am guilty of skipping it over in the past, but it is very clear to me now that learning the standard first is the best approach, even if you don't end up using it directly. -Max - Original Message - From: Manganotti Francesco (USI) [EMAIL PROTECTED] To: Struts Users Mailing List (E-mail) [EMAIL PROTECTED] Sent: Monday, October 06, 2003 12:41 AM Subject: re: authentication Anyone knows a good way to implement AUTHORIZATION with Struts. cheers, F. Questo messaggio di posta elettronica contiene informazioni di carattere confidenziale rivolte esclusivamente al destinatario sopra indicato. E' vietato l'uso, la diffusione, distribuzione o riproduzione da parte di ogni altra persona. Nel caso aveste ricevuto questo messaggio di posta elettronica per errore, siete pregati di segnalarlo immediatamente al mittente e distruggere quanto ricevuto (compresi i file allegati) senza farne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio costituisce violazione dell'obbligo di non prendere cognizione della corrispondenza tra altri soggetti, salvo più grave illecito, ed espone il responsabile alle relative conseguenze. Confidentially notice. This e-mail transmission may contain legally privileged and/or confidential information. Please do not read it if you are not the intended recipient(S
Struts and user-authentication
Is there any good example on how to incorporate strict user-authentication with Struts? Currently I'm working on a way to implement user-authentication with OSUser (www.opensymphony.com/osuser) and hibernate (www.hibernate.org) What's the best way to implement user-security? Where should the authentication method be put in? In every action? Is it possible to create one generic class that authorizes a user and sends it to the appropiate page (either the page he requested, an error or a login-page) without coding it on every single action page? Thanks, Ilja - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts and user-authentication
Try this : http://www.theserverside.com/resources/article.jsp?l=JAAS - Original Message - From: Ilja [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 06, 2003 6:00 PM Subject: Struts and user-authentication Is there any good example on how to incorporate strict user-authentication with Struts? Currently I'm working on a way to implement user-authentication with OSUser (www.opensymphony.com/osuser) and hibernate (www.hibernate.org) What's the best way to implement user-security? Where should the authentication method be put in? In every action? Is it possible to create one generic class that authorizes a user and sends it to the appropiate page (either the page he requested, an error or a login-page) without coding it on every single action page? Thanks, Ilja - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts and user-authentication
Thanks! Very helpfull, but still some questions: How can you programmaticly make use of struts-config.xml? Now the loginpage is hardcoded: String loginPage = request.getContextPath()+/logon.do; Can't you make it more generic so that it uses the config-file to look it up? Secondly: How can you display userinformation in a jsp-page when you have your own authentication-system? I probably have to write my own taglibs right? Ilja On Mon, 6 Oct 2003 18:10:56 +0530, Deepak [EMAIL PROTECTED] said: Try this : http://www.theserverside.com/resources/article.jsp?l=JAAS - Original Message - From: Ilja [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 06, 2003 6:00 PM Subject: Struts and user-authentication Is there any good example on how to incorporate strict user-authentication with Struts? Currently I'm working on a way to implement user-authentication with OSUser (www.opensymphony.com/osuser) and hibernate (www.hibernate.org) What's the best way to implement user-security? Where should the authentication method be put in? In every action? Is it possible to create one generic class that authorizes a user and sends it to the appropiate page (either the page he requested, an error or a login-page) without coding it on every single action page? Thanks, Ilja - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Struts and user-authentication
You can use tiles to optionally display information based on a user's role. Another possibility is to use the Struts logic tags to test if the user is in a given role; the body of the tag will either be rendered or not--depending on whether or not a use is in a given role. Ilja [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Thanks! Very helpfull, but still some questions: How can you programmaticly make use of struts-config.xml? Now the loginpage is hardcoded: String loginPage = request.getContextPath()+/logon.do; Can't you make it more generic so that it uses the config-file to look it up? Secondly: How can you display userinformation in a jsp-page when you have your own authentication-system? I probably have to write my own taglibs right? Ilja On Mon, 6 Oct 2003 18:10:56 +0530, Deepak [EMAIL PROTECTED] said: Try this : http://www.theserverside.com/resources/article.jsp?l=JAAS - Original Message - From: Ilja [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 06, 2003 6:00 PM Subject: Struts and user-authentication Is there any good example on how to incorporate strict user-authentication with Struts? Currently I'm working on a way to implement user-authentication with OSUser (www.opensymphony.com/osuser) and hibernate (www.hibernate.org) What's the best way to implement user-security? Where should the authentication method be put in? In every action? Is it possible to create one generic class that authorizes a user and sends it to the appropiate page (either the page he requested, an error or a login-page) without coding it on every single action page? Thanks, Ilja - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml
I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml
Hi Caroline, if I remember correctly, it is not possible to use Action servlet mappings for the login and error pages in tomcat. I do know for sure that it is recommended practice to keep those pages seperate programmatically and to view them as part of the container rather than part of your app. Check the archives for a few threads on that matter. Adam On 10/07/2003 12:44 AM Caroline Jen wrote: I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Container-Managed Authentication login-config in web.xml vs . Specifying Paths in the struts-config.xml
But, I do not want to use BASIC authentication. I have many different roles and hundreds of people per role. Users' name, role, etc. are stored in a database. --- Matt Raible [EMAIL PROTECTED] wrote: A JDBCRealm can use BASIC authentication - it doesn't require form-based. Here's an example app that might help you out: http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample HTH, Matt -Original Message- From: Caroline Jen [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: Container-Managed Authentication login-config in web.xml vs. Specifying Paths in the struts-config.xml I use the Tomcat. I configured the Tomcat JDBCRealm so that I can use programmic security testing, such as isUserInRole(), in my program. Because Tomcat JDBCRealm is form based, I inserted the login-config and its sub-elements in my web.xml file (see below). As we know, the form-login-page and form-error-page are required. My question is that the container-managed authentication does not seem to be consistent with what we usually do in struts; e.g. we state the logical name and path for each .jsp page in the struts-config.xml file. What is the Struts convention in dealing with user authentication? Should we specify the paths for the logon page and error page in the struts.config.xml or we should use the form-login-page and form-error-page in the web.xml file? == security-constraint web-resource-collection web-resource-nameSalesInfo/web-resource-name url-pattern/SalesInfo/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection auth-constraint role-namemanager/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/authentication/login.html/form-login-page form-error-page/authentication/error.html/form-error-page /form-login-config /login-config security-role role-namemanager/role-name /security-role __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Connection Pooling + User Authentication
Hello. I would like to explore Connection Pooling as opposed to direct JDBC calls to an Oracle V8.1.6 database in a STRUTS application. The queries that are being executed have some kind of security built into them such that they only return results based on the User Id ( a look up of the User Id is conducted in this query to determine the level of security) My question: If I were to implement Connection Pooling, is it possible to individually identiffy each user in the connection pool when a connection is being used? If a user is using a pool from the DB Connection Pool, can the user still be individually identified by their User ID as opposed to the User ID used to create the DB Connection Pool? This would be a requirement since the user id would be used to determine the level of security in the queries on the DB. Any assistance you can provide would be most appreciated. Thanks in advance. Mitesh
Re: Connection Pooling + User Authentication
Kapadia Mitesh-C23457 wrote: Hello. I would like to explore Connection Pooling as opposed to direct JDBC calls to an Oracle V8.1.6 database in a STRUTS application. Just for further clarification, are you talking about using the Struts Data Sources or something external to Struts, like the Commons DBCP package? The queries that are being executed have some kind of security built into them such that they only return results based on the User Id ( a look up of the User Id is conducted in this query to determine the level of security) I'm understanding this to mean that what happens is that when a user of your application logs in, you then do some type of lookup (which may be one-to-one) to determine what user they should log into the database using, and then you have privileges set on the database user determining what that user is permitted to do. Is that correct? My question: If I were to implement Connection Pooling, is it possible to individually identiffy each user in the connection pool when a connection is being used? If a user is using a pool from the DB Connection Pool, can the user still be individually identified by their User ID as opposed to the User ID used to create the DB Connection Pool? Usually not, but there might be a way around it. This would be a requirement since the user id would be used to determine the level of security in the queries on the DB. Any assistance you can provide would be most appreciated. One way to do this is to use a package such as the Commons DBCP package (http://jakarta.apache.org/commons/dbcp/), which would then allow you to create one pool per user. In essence, you would have some properties which would specify everything but the user name for a connection (called, for example, myconn), and then you would just create a different connection pool instance at runtime based on the actual underlying user name (such as myconn-kwylie or myconn-jsmith). When you lookup a connection instance, then, you would look up the version which includes the user name. This still has advantages over creating a connection per request, so it's still a worthwhile pattern to follow if your database requires this type of access. Of course, if I'm not understanding the requirements, please let me know. Kirk Wylie M7 Corporation - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Connection Pooling + User Authentication
Kapadia Mitesh-C23457 wrote: Hello. I would like to explore Connection Pooling as opposed to direct JDBC calls to an Oracle V8.1.6 database in a STRUTS application. The queries that are being executed have some kind of security built into them such that they only return results based on the User Id ( a look up of the User Id is conducted in this query to determine the level of security) My question: If I were to implement Connection Pooling, is it possible to individually identiffy each user in the connection pool when a connection is being used? If a user is using a pool from the DB Connection Pool, can the user still be individually identified by their User ID as opposed to the User ID used to create the DB Connection Pool? This would be a requirement since the user id would be used to determine the level of security in the queries on the DB. Any assistance you can provide would be most appreciated. Thanks in advance. Mitesh Some connection pools (not including commons-dbcp) do support the ability to pool connections that are registered to individual database usernames. However, this is going to reduce the reusability of the connections -- the connection that user foo just put back into the pool cannot be used by user bar. For Oracle in particular, I've had a lot of success doing things based on database roles, rather than usernames. Then, in your DAO object you would acquire a generic connection (one that has a valid username/password, but no access to any tables) and then do a SET ROLE statement based on who the current user is. Then, before you return the connection to the pool, you will want to reset the role again. Using this approach maximizes the usefulness of any connection pool. Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Connection Pooling + User Authentication
- Original Message - From: Craig R. McClanahan [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Sent: Tuesday, September 23, 2003 1:41 PM Subject: Re: Connection Pooling + User Authentication For Oracle in particular, I've had a lot of success doing things based on database roles, rather than usernames. Then, in your DAO object you would acquire a generic connection (one that has a valid username/password, but no access to any tables) and then do a SET ROLE statement based on who the current user is. Then, before you return the connection to the pool, you will want to reset the role again. Using this approach maximizes the usefulness of any connection pool. We take a similar approach with Oracle, except our connections are user-based instead of role-based. We set up a PL/SQL package called GLOBAL that has a SET_USERID procedure which sets the user id in the global package. Since each connection to the database receives its own instance of the PL/SQL package, we can write SQL statements that depend on the current user which is logged in. (In Oracle, we are using Policy Predicates. I'm not sure the equivalent in other DBs). This has been very helpful in implementing row-level security. Craig Matt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Connection Pooling + User Authentication
Am Dienstag, 23. September 2003 19:41 schrieb Craig R. McClanahan: Just for completeness, yet another approach. As I can't explain it better, I'll just cite the relevant passage from Hans Bergsten's ever-resourceful JSP book (the O'Reilly one with the wolf on the front cover, 2nd edition, p. 475): A connection pool doesn't solve all problems, however. Because all users are using the same Connection objects, you can't rely on the database engine to limit access to protected data on a per-user basis. Instead, you have to define data-access rules in terms of roles (groups of users with the same access rights). You can then use separate pools for different roles, each pool creating Connection objects with a database account that represents the role. Considering the commons-dbcp implementation (in particular the one that gets shipped with Tomcat 4.1.24), I may add that not all Oracle driver versions run well in this environment, with some of them issuing ORA- messages with very low numbers recommending to consult Oracle developer support, regards of 'thin' or OCI-based types. IIRC even the ones that get shipped with Oracle 9i R2 or JDev 9.0.3 failed in this direction. If you experience the same problem, try the latest 9i R2 drivers available from OTN. Note that Oracle recently changed the driver architecture, so there are the legacy 'classes12..zip |. jar' ones plus the 'new' ones with a different naming scheme (was it ojdbc4.jar?) designed for 1.4.x and later now. For details, you might want to give the documentation that accompanies the file a closer look. -- Chris Kapadia Mitesh-C23457 wrote: Hello. I would like to explore Connection Pooling as opposed to direct JDBC calls to an Oracle V8.1.6 database in a STRUTS application. The queries that are being executed have some kind of security built into them such that they only return results based on the User Id ( a look up of the User Id is conducted in this query to determine the level of security) My question: If I were to implement Connection Pooling, is it possible to individually identiffy each user in the connection pool when a connection is being used? If a user is using a pool from the DB Connection Pool, can the user still be individually identified by their User ID as opposed to the User ID used to create the DB Connection Pool? This would be a requirement since the user id would be used to determine the level of security in the queries on the DB. Any assistance you can provide would be most appreciated. Thanks in advance. Mitesh Some connection pools (not including commons-dbcp) do support the ability to pool connections that are registered to individual database usernames. However, this is going to reduce the reusability of the connections -- the connection that user foo just put back into the pool cannot be used by user bar. For Oracle in particular, I've had a lot of success doing things based on database roles, rather than usernames. Then, in your DAO object you would acquire a generic connection (one that has a valid username/password, but no access to any tables) and then do a SET ROLE statement based on who the current user is. Then, before you return the connection to the pool, you will want to reset the role again. Using this approach maximizes the usefulness of any connection pool. Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
re-invoke request after authentication
I've implemented my own authentication mechanism using Struts and it works fine, but I have to use the request.attributes instead of request.getParameters because the parameterMap is immutable. Another way i'm thinking about is to redirect the user to the restricted action after login. So that the following happens: The user request an action that requires login. If the user is not logged in, then he is sent to a login-page. He fills in the login-form. The login-form content is sent to the login action. If he may enter, then he is sent to the page that he initially required, with all the information he tryed to sent in the first place. So I need to write a string with all the information, that the user sent in the first place, so that I can write something like: body onload=location.href='bean:write name=oldRequestWithAllParameters /' Is there an easy way of implementing that? Morten Andersen Master of applied mathematics and computer science Research assistant (in e-learning) The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 6550-3654 +45 6171-1103 Jabber id: [EMAIL PROTECTED]
Re: re-invoke request after authentication
If you simply do a return mapping.findForward( new ActionForward(foo.do) ); your request will be forwarded to the new action with the existing ServletRequest object in tact. i.e. everything will just work. daniel - Original Message - From: Morten Andersen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 16, 2003 4:09 PM Subject: re-invoke request after authentication I've implemented my own authentication mechanism using Struts and it works fine, but I have to use the request.attributes instead of request.getParameters because the parameterMap is immutable. Another way i'm thinking about is to redirect the user to the restricted action after login. So that the following happens: The user request an action that requires login. If the user is not logged in, then he is sent to a login-page. He fills in the login-form. The login-form content is sent to the login action. If he may enter, then he is sent to the page that he initially required, with all the information he tryed to sent in the first place. So I need to write a string with all the information, that the user sent in the first place, so that I can write something like: body onload=location.href='bean:write name=oldRequestWithAllParameters /' Is there an easy way of implementing that? Morten Andersen Master of applied mathematics and computer science Research assistant (in e-learning) The Maersk Institute of Production technology at Southern Danish University www.mip.sdu.dk Campusvej 55 DK-5230 Odense M Denmark +45 6550-3654 +45 6171-1103 Jabber id: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Authentication in RequestProcessor ?
Browsing the archives, I read alot about authentication and the best place to do it being the RequestProcessor. I find this odd! Not all action-mapping requests go through a RequestProcessor. ie: action path = /MyJSP forward = /WEB-INF/jsp/MyJSP.jsp/ Is this true? - certainly seems that way, MyJSP.jsp needs authenticating! The only logical places I can see to do this globally are either ActionServlet or a Filter. [Pre Struts I did this in a filter. And, Although I didn't waste much time trying to sort it out due to current Struts refactoring, I had problems with EVERY request going through the filter ie ALL static images too! ( no servlet suffixes to map).] Your views? TIA -- Mike W - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication in RequestProcessor ?
I find this odd! Not all action-mapping requests go through a RequestProcessor. Doh! Just found processPreprocess() that does seem to get called for EVERY struts-config entry. So I shall do my authentication there. Oh well, might help another archive browser. -- Mike W - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
User authentication methods (or ways to login a user)
Hi, I'm new to Struts and to getr used to it I developped an application which has to log in a user by checking records in a database. After reading more posts about user authentication I've got puzzled and now I try to clarify this thing. I identified the following ways to do the authentication: 1. session variable on user login, check the variable on each action 2. filter authentication 3. security contraints = container authentication (?) 4. using a tag in each jsp for the validation Are there any other methods? As for what method should one use I think depends on many factors like the complexity of the application, habits, etc but the first method is not for use in applications with many Actions as you'll need to add session validation code in each action = more difficult to develop and maintain. Any other things one should know before considering one of this methods? Thanks, Cezar --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Authentication Filter not working
Hi Jing,
Using container security or servlet filter are equivalent when protecting
web applications. We have a topic with sample security constraints at
http://www.netspread.com/tips2.html#mvc
in which you could put 'nobody' role to deny any direct access to your
JSP pages in web applications. No codes here.
I followed the link and I think this can be a nice solution for not having
to place the jsp files under WEB-INF but I didn't see (I must confess I
didn't have the time to look any further than the link you gave me) how one
can do authentication against database for checking username / password.
I'll look more into the subject this week.
I would say you might want to check if you have removed the LoggedIn
object from the session from the logout action class...
I removed the object before doing a session.invalidate()
Even I set nocache to true, the end users could get Page has Expired
warning message. The the users could do a hard Retry, they get the pages
again. Have you tried this before?
I tried it, and it's true what you say, but once the session is invalidated
with the authentication I have in place right now they are redirected to the
logon page.
What I'm looking now for, with the filter, container authentication,
security contraints, etc, is an easiest way (less redundant code,
centralized method) to do the user's authentication.
Jing
Thanks a lot ;)
Cezar
On Fri, 2003-08-22 at 18:12, Jing Zhou wrote:
I would prefer to use the security constraints to protect
sensitive area. And in the logout action class, invalidate
the user's session and then forward to /logout.html.
In the logout.html page, you could add JavaScript
statement on top of it:
location.replace('/thank_you.html');
Once the thank_you.html is shown, the Back button
is disabled. The user will have no chance to back.
Make sure the thank_you.html is outside the security
constraints.
Jing
Netspread Carrier
http://www.netspread.com
- Original Message -
From: Cezar Nasui [EMAIL PROTECTED]
To: Struts Users Mailing List [EMAIL PROTECTED]
Sent: Friday, August 22, 2003 2:15 PM
Subject: Authentication Filter not working
Hi all,
I try to use a filter for the authentication so I created a class
which
implements filter with the following doFilter method (I found this in
a
post)
code
public void doFilter(ServletRequest _request, ServletResponse
_response,
FilterChain _chain)
throws IOException, ServletException
{
String redirectFailure = /logon.jsp;
HttpSession session =
((HttpServletRequest)_request).getSession(false);
if ((session == null) || (session.getAttribute(loggedIn)==
null) )
{
context.getRequestDispatcher(redirectFailure)
.forward(_request,_response);
}
else {
_chain.doFilter(_request, _response);
}
}
/code
I added this in the web.xml file:
code
filter
filter-nameSessionFilter/filter-name
filter-classdbmanager.SessionFilter/filter-class
/filter
filter-mapping
filter-nameSessionFilter/filter-name
url-pattern/DBManager/*/url-pattern
/filter-mapping
/code
and I also :
- setted nocache to true for the Action servlet
- in lofgoff I invalide the session I create in login along with the
loggedIn variable
The problem : when I log out and then do a back to the last page
everything
is working !!!
I overlooked something, any ideas?
Thanks,
Cezar
---
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: User authentication methods (or ways to login a user)
I just went through a whole slew of options, and in the end settled on letting tomcat do form based authentication. It works. Good instructions on it in the tomcat docs. Playing with the app directory structure to get a good fit took a little tweaking, I ended up moving everything around a bunch. the app uses tiles, so I had to sport a secured section and unsecured section... So I have a /app directory that is secured by the container. I also prefixed all my secured actions with /app/show_menu.do (app on the front) which seems to prevent me from calling it directly. Can someone tell me if this is bad? I plan on doing more checking in the actions for levels of access... There also is some tag for struts actions for roles (I should go look that up). -Original Message- From: Cezar Nasui [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 11:33 PM To: Struts Users Mailing List Subject: User authentication methods (or ways to login a user) Hi, I'm new to Struts and to getr used to it I developped an application which has to log in a user by checking records in a database. After reading more posts about user authentication I've got puzzled and now I try to clarify this thing. I identified the following ways to do the authentication: 1. session variable on user login, check the variable on each action 2. filter authentication 3. security contraints = container authentication (?) 4. using a tag in each jsp for the validation Are there any other methods? As for what method should one use I think depends on many factors like the complexity of the application, habits, etc but the first method is not for use in applications with many Actions as you'll need to add session validation code in each action = more difficult to develop and maintain. Any other things one should know before considering one of this methods? Thanks, Cezar --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Authentication Filter not working
Hi all,
I try to use a filter for the authentication so I created a class which
implements filter with the following doFilter method (I found this in a
post)
code
public void doFilter(ServletRequest _request, ServletResponse _response,
FilterChain _chain)
throws IOException, ServletException
{
String redirectFailure = /logon.jsp;
HttpSession session = ((HttpServletRequest)_request).getSession(false);
if ((session == null) || (session.getAttribute(loggedIn)== null) )
{
context.getRequestDispatcher(redirectFailure)
.forward(_request,_response);
}
else {
_chain.doFilter(_request, _response);
}
}
/code
I added this in the web.xml file:
code
filter
filter-nameSessionFilter/filter-name
filter-classdbmanager.SessionFilter/filter-class
/filter
filter-mapping
filter-nameSessionFilter/filter-name
url-pattern/DBManager/*/url-pattern
/filter-mapping
/code
and I also :
- setted nocache to true for the Action servlet
- in lofgoff I invalide the session I create in login along with the
loggedIn variable
The problem : when I log out and then do a back to the last page everything
is working !!!
I overlooked something, any ideas?
Thanks,
Cezar
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication Filter not working
I would prefer to use the security constraints to protect
sensitive area. And in the logout action class, invalidate
the user's session and then forward to /logout.html.
In the logout.html page, you could add JavaScript
statement on top of it:
location.replace('/thank_you.html');
Once the thank_you.html is shown, the Back button
is disabled. The user will have no chance to back.
Make sure the thank_you.html is outside the security
constraints.
Jing
Netspread Carrier
http://www.netspread.com
- Original Message -
From: Cezar Nasui [EMAIL PROTECTED]
To: Struts Users Mailing List [EMAIL PROTECTED]
Sent: Friday, August 22, 2003 2:15 PM
Subject: Authentication Filter not working
Hi all,
I try to use a filter for the authentication so I created a class which
implements filter with the following doFilter method (I found this in a
post)
code
public void doFilter(ServletRequest _request, ServletResponse _response,
FilterChain _chain)
throws IOException, ServletException
{
String redirectFailure = /logon.jsp;
HttpSession session =
((HttpServletRequest)_request).getSession(false);
if ((session == null) || (session.getAttribute(loggedIn)== null) )
{
context.getRequestDispatcher(redirectFailure)
.forward(_request,_response);
}
else {
_chain.doFilter(_request, _response);
}
}
/code
I added this in the web.xml file:
code
filter
filter-nameSessionFilter/filter-name
filter-classdbmanager.SessionFilter/filter-class
/filter
filter-mapping
filter-nameSessionFilter/filter-name
url-pattern/DBManager/*/url-pattern
/filter-mapping
/code
and I also :
- setted nocache to true for the Action servlet
- in lofgoff I invalide the session I create in login along with the
loggedIn variable
The problem : when I log out and then do a back to the last page
everything
is working !!!
I overlooked something, any ideas?
Thanks,
Cezar
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: two-step container managed authentication
Hi John, thanks for responding. I think that what I will do (if I ever get to that stage of this project, right now I'm still working on domain layer), is use CMA via JNDI (JNDIRealm) to authenticate against LDAP. Then, if the authentication proves successful, the HTTP request continues to the webapp where it is intercepted by a filter, which performs authentication against the app-specific DB (with its own username list). Then, if authentication is successful, the user is logged in and goes wherever they were headed -- but if not, they are redirected to an Action where they can fill out a form to request an app-specific account. I'll post here if I'm able to get that up and running, though again, right now I'm focused on another part of the code. Erik PS: interesting -- you got this email pretty late? John Tangney wrote: The way CMA works, the auth happens completely transparently. That is, auth happens before your app even sees the HttpRequest. If you want to do a second auth-like thing with that request, the you'd set up an action to do so. Note that the CMA can access the same db tables as the rest of the app, using a JDBCRealm (rather than JNDI.) But I guess you want to maintain separate lists of users, right? Sorry if this is not much help. If you could explain the use case(s) a little, maybe we can help come up with an architecture that'll do the trick. --johnt Strictly speaking this is OT, since CMA is not a Struts thing, but who ya gonna ask? ;- in article [EMAIL PROTECTED], Erik Price at [EMAIL PROTECTED] wrote on 5/19/03 8:29 AM: Hi, I am soliciting advice from other struts and web developers. I am moving my in-progress project (JSP servlets only) to Struts framework after having been converted at a JUG meeting, and am planning things out. One of the things I would like to do is move from my current security model (which uses a homebrewed authentication filter) to container-managed authorization/authentication. However, I would like to perform two steps in the login and am not sure if this is possible with CMA. When a user requests a resource of the webapp, a login (form-based auth) should be presented, and the user enters username and password. The authorization is performed against LDAP (partly the motivation to move from my security filter to container-managed auth is to make JNDI/LDAP auth easier to set up). If the user authorizes successfully, then a *second* step is performed -- authenticate against a local (non-LDAP) database of registered users. If the user's name is present in this database, fine, log in as normal. However, if the username is not present in this database, then the user must be requesting an account to use this webapp: execute the NewUserRequestAction. This is something I can easily do with my filter, simply by implementing the code myself. But is it possible to do with container-managed authorization? Any suggestions? BTW I would like to perform all of this within a single HTTP request so that there is no opportunity for the user to change the username after authorizing against LDAP but before querying the database. Thanks, Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: two-step container managed authentication
The way CMA works, the auth happens completely transparently. That is, auth happens before your app even sees the HttpRequest. If you want to do a second auth-like thing with that request, the you'd set up an action to do so. Note that the CMA can access the same db tables as the rest of the app, using a JDBCRealm (rather than JNDI.) But I guess you want to maintain separate lists of users, right? Sorry if this is not much help. If you could explain the use case(s) a little, maybe we can help come up with an architecture that'll do the trick. --johnt Strictly speaking this is OT, since CMA is not a Struts thing, but who ya gonna ask? ;- in article [EMAIL PROTECTED], Erik Price at [EMAIL PROTECTED] wrote on 5/19/03 8:29 AM: Hi, I am soliciting advice from other struts and web developers. I am moving my in-progress project (JSP servlets only) to Struts framework after having been converted at a JUG meeting, and am planning things out. One of the things I would like to do is move from my current security model (which uses a homebrewed authentication filter) to container-managed authorization/authentication. However, I would like to perform two steps in the login and am not sure if this is possible with CMA. When a user requests a resource of the webapp, a login (form-based auth) should be presented, and the user enters username and password. The authorization is performed against LDAP (partly the motivation to move from my security filter to container-managed auth is to make JNDI/LDAP auth easier to set up). If the user authorizes successfully, then a *second* step is performed -- authenticate against a local (non-LDAP) database of registered users. If the user's name is present in this database, fine, log in as normal. However, if the username is not present in this database, then the user must be requesting an account to use this webapp: execute the NewUserRequestAction. This is something I can easily do with my filter, simply by implementing the code myself. But is it possible to do with container-managed authorization? Any suggestions? BTW I would like to perform all of this within a single HTTP request so that there is no opportunity for the user to change the username after authorizing against LDAP but before querying the database. Thanks, Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
authentication
I need some help with authentication with struts. I have been looking into filter validation, having a directory /publicAction and a directory /privateAction each containing public and private actions. The interesting thing, if the action mapping is /privateAction/* and /publicAction/*, then two two different urls can acccess someAction, both /privateAction/someAction and /publicAction/someAction. I could have two directories, one /action/public and the other action/private. But here, the mapping would be action/*, and the struts-config.xml paths would have to me something like: path=/private/privateAction, which seems a little messy, especially if a privateAction is to become a public action. Any ideas? I can't use container managed authentication. any help would be great! -Trav - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: authentication
You could have two modules, one named public and one named private and so you would have two different path=/someAction actions one in each modules struts config. Then in the private one you have path=/someAction role=Admin and in the public one you don't have a role attribute or it is role=all or something. -Original Message- From: Travis Stevens [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 05, 2003 5:22 PM To: [EMAIL PROTECTED] Subject: authentication I need some help with authentication with struts. I have been looking into filter validation, having a directory /publicAction and a directory /privateAction each containing public and private actions. The interesting thing, if the action mapping is /privateAction/* and /publicAction/*, then two two different urls can acccess someAction, both /privateAction/someAction and /publicAction/someAction. I could have two directories, one /action/public and the other action/private. But here, the mapping would be action/*, and the struts-config.xml paths would have to me something like: path=/private/privateAction, which seems a little messy, especially if a privateAction is to become a public action. Any ideas? I can't use container managed authentication. any help would be great! -Trav - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Container Authentication: Artimus on Resin
Hi, A short one. This is a Resin question - but I did not find my answers there... Does someone know how to set container authentication on Resin so as to run the artimus application. The default for artimus is using Tomcat, which has a tomcat-users.xml file to define roles. But for Resin, there is only resin.conf. Thanks, Noam - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication question and user accounts.
Adam Hardy ([EMAIL PROTECTED]) wrote: Well it is slightly off-topic because it's more a tomcat issue, but in short I don't think you can achieve what you want to achieve using a standard realm and container-managed security. You could easily put a link to create a new account in your error pagge or have FORM-based CMS with a link in the login form to create a new account. There is nothing in struts though that will address this issue directly. HTH Adam [EMAIL PROTECTED] wrote: I am using container managed security in Tomcat 4.1.24 with a database realm. All this is working fine. However, I'd like to give the user the possibility of creating a user acount when the login.jsp is displayed. When the user creates the account, I would like to do the login with the supplied credentials and redirect to the originally requested page. I'm not sure if Tomcat's realm classes have a way to do the login in this way and I will check that out. The question I'm wondering about is if anyone knows a good solution for redirecting to the originally requested page (aside from keeping this information in a session bean). Even if I return back to the login.jsp, Tomcat won't know what to do when I hit the Submit button. I'm sorry if this is OT for Struts, but this is a Struts app and you never know if Struts has a way to help deal with this. Thanks for any help, Mike Witt Check the appfuse application. Matt pretty much does everything that is possible when using container managed security and struts. By that I mean, if he doesn't do it in appfuse it is darn near impossible, so definitely check it out. Dan -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Daniel Allen, [EMAIL PROTECTED] http://www.mojavelinux.com/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - It is not enough to succeed. Others must fail. -- Gore Vidal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Authentication question and user accounts.
I am using container managed security in Tomcat 4.1.24 with a database realm. All this is working fine. However, I'd like to give the user the possibility of creating a user acount when the login.jsp is displayed. When the user creates the account, I would like to do the login with the supplied credentials and redirect to the originally requested page. I'm not sure if Tomcat's realm classes have a way to do the login in this way and I will check that out. The question I'm wondering about is if anyone knows a good solution for redirecting to the originally requested page (aside from keeping this information in a session bean). Even if I return back to the login.jsp, Tomcat won't know what to do when I hit the Submit button. I'm sorry if this is OT for Struts, but this is a Struts app and you never know if Struts has a way to help deal with this. Thanks for any help, Mike Witt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication question and user accounts.
Well it is slightly off-topic because it's more a tomcat issue, but in short I don't think you can achieve what you want to achieve using a standard realm and container-managed security. You could easily put a link to create a new account in your error pagge or have FORM-based CMS with a link in the login form to create a new account. There is nothing in struts though that will address this issue directly. HTH Adam [EMAIL PROTECTED] wrote: I am using container managed security in Tomcat 4.1.24 with a database realm. All this is working fine. However, I'd like to give the user the possibility of creating a user acount when the login.jsp is displayed. When the user creates the account, I would like to do the login with the supplied credentials and redirect to the originally requested page. I'm not sure if Tomcat's realm classes have a way to do the login in this way and I will check that out. The question I'm wondering about is if anyone knows a good solution for redirecting to the originally requested page (aside from keeping this information in a session bean). Even if I return back to the login.jsp, Tomcat won't know what to do when I hit the Submit button. I'm sorry if this is OT for Struts, but this is a Struts app and you never know if Struts has a way to help deal with this. Thanks for any help, Mike Witt - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tiles and Authentication Filter
Does anyone have an example of a Struts Authentication Filter with Tiles? I'm having a problem getting the correct path to forward to. I guess I can set up a bunch of tiles action forwards but there's got to be a better way. No? -Tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: Container Managed Authentication
Hirschmann, Bernhard wrote: Thanks, Erik, but those I already know. I'm looking for some hints how you can access or handle the CMA stuff using Struts. I've seen that you can allow an action only for a speciffic role, configuring in struts-config.xml. So I thought there may be more support. Do you know anything about this? The only way that I can think of is to use the methods in HttpServletRequest, but if there are Struts-specific shortcuts that I don't know, it's because I'm still getting into Struts myself. Regards, Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: Container Managed Authentication
Is there a documentation or a how-to around for CMA support in Struts? I found this to be helpful, although it is not struts-specific: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html If you are not using Tomcat, here is a more general explanation from the JWSDP tutorial that should apply to most web containers: http://java.sun.com/webservices/docs/1.1/tutorial/doc/WebAppSecurity.html Erik Thanks, Erik, but those I already know. I'm looking for some hints how you can access or handle the CMA stuff using Struts. I've seen that you can allow an action only for a speciffic role, configuring in struts-config.xml. So I thought there may be more support. Do you know anything about this? How can I access role information from a action or logout a user and so on? Bernhard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: Container Managed Authentication
Hirschmann, Bernhard rta: How can I access role information from a action or logout a user and so on? With basic auth method you cannot really log out a user. The session.invalidate() is useful in each auth method. request.getUserPrincipal() and request.isUserInRole(String) are good starting points. Tib - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: Container Managed Authentication
you could look at the admin admin webapp in tomcat 4.1.. I think its what you're after. cheers mark On Wednesday, May 28, 2003, at 08:03 Europe/London, Hirschmann, Bernhard wrote: Is there a documentation or a how-to around for CMA support in Struts? I found this to be helpful, although it is not struts-specific: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html If you are not using Tomcat, here is a more general explanation from the JWSDP tutorial that should apply to most web containers: http://java.sun.com/webservices/docs/1.1/tutorial/doc/ WebAppSecurity.html Erik Thanks, Erik, but those I already know. I'm looking for some hints how you can access or handle the CMA stuff using Struts. I've seen that you can allow an action only for a speciffic role, configuring in struts-config.xml. So I thought there may be more support. Do you know anything about this? How can I access role information from a action or logout a user and so on? Bernhard - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Container Managed Authentication
Hirschmann, Bernhard wrote: Is there a documentation or a how-to around for CMA support in Struts? I found this to be helpful, although it is not struts-specific: http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html If you are not using Tomcat, here is a more general explanation from the JWSDP tutorial that should apply to most web containers: http://java.sun.com/webservices/docs/1.1/tutorial/doc/WebAppSecurity.html Erik - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to do authentication in different way for different action classes
That should work fine. /Content/*.do will still be considered an exact pattern, and will be matched before the *.do extension pattern (no matter what order they appear in the web.xml file). Only stuff that doesn't match /Content/*.do but does match *.do will be secured in the example. You could use the default mapping / to secure everything by default, and then explicitly make /Content/*.do and perhaps /images/*, /styles/*, etc. publicly available by adding url-patterns for them in the unsecured web-resource-collection. You can put more than one url-mapping element in a web-resource-collection, so it would be easy to do. The Servlet Spec Version 2.3, sections SRV.12 and SRV.11.1 define the matching behavior. They are pretty short and definitely worth a read for anyone doing security stuff. I wrote some security constraints before I read it, and I think I would have benefitted greatly from the short read had I done it first. Here are the most important parts (WITH MY OWN NOTES ADDED IN ALL CAPS; SORRY FOR SHOUTING :-0): Matching behavior for requests (from the servlet section, but the same rules are applied for checking url-patterns for security): 1. The container will try to find an exact match of the path of the request to the path of the servlet. A successful match selects the servlet. EXACT PATTERNS WILL BE TRIED FIRST 2. The container will recursively try to match the longest path-prefix: This is done by stepping down the path tree a directory at a time, using the '/' character as a path separator. The longest match determines the servlet selected. NOTE: 'longest' means the most path elements here -- '/a/b/c/d/*' is longer than '/onereallylongdirectoryname/*' THEN THE PATH PATTERNS WILL BE TRIED, STARTING WITH THE LONGEST ONES 3. If the last segment in the URL path contains an extension (e.g. .jsp), the servlet container will try to match a servlet that handles requests for the extension. An extension is defined as the part of the last segment after the last '.' character. THEN THE EXTENSION PATTERNS WILL BE TRIED 4. If neither of the previous three rules result in a servlet match, the container will attempt to serve content appropriate for the resource requested. If a default servlet is defined for the application, it will be used. AND FINALLY THE DEFAULT PATTERN WILL BE USED IF IT HAS BEEN SPECIFIED OTHERWISE, NO MATCH -- ALLOW THE REQUEST Classification rules for url-patterns in your web.xml file (path, extension, default, exact): 1. A string beginning with a '/' character and ending with a '/*' postfix is used for path mapping. PATH (INCLUDES '/*') 2. A string beginning with a '*.' prefix is used as an extension mapping. EXTENSION 3. A string containing only the '/' character indicates the default servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null. DEFAULT 4. All other strings are used for exact matches only. IF IT DOESN'T MATCH THE DEFINITIONS ABOVE, YOUR PATTERN IS AN EXACT PATTERN -Max - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 03, 2003 10:33 PM Subject: RE: How to do authentication in different way for different action classes Would this be valid then: security-constraint web-resource-collection web-resource-nameSecured Resources/web-resource-name url-pattern*.do/url-pattern /web-resource-collection auth-constraint role-namestrutsuser/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-namePublic Resources/web-resource-name url-pattern/Content/*.do/url-pattern /web-resource-collection /security-constraint Where /Content is a sub directory of the ROOT directory, and that subDirectory is _NOT_ secured, but everything else _IS_ secured? This way I do not have to put all my secured pages under /private/* and I can just intermingle them. -Original Message- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 3:25 AM To: Struts Users Mailing List; [EMAIL PROTECTED] Subject: Re: How to do authentication in different way for different action classes You should keep *.do for your servlet mapping. Assuming you are using container-managed security, you can do something like this for your security constraints: security-constraint web-resource-collection web-resource-nameSecured Resources/web-resource-name url-pattern*.do/url-pattern /web-resource-collection auth-constraint role-namestrutsuser/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-namePublic Resources/web-resource-name url-pattern/welcome.do/url-pattern /web-resource-collection /security-constraint The servlet spec requires that exact patterns like /welcome.do should
Authentication and Authorisation Newbie
Hi all, I'm using JBoss and EJBs and struts as my web app. I've got some resources that are protected and for the moment I've written a Filter which protects them. However this may not be the best way to do this. I'm vaguely aware that J2EE can use JAAS and I can have things like roles and principles and that these can be propogated from the servlets to methods on the session facade and that this is probably the right way to go. However the limited bit of documentation that I've read on this seems very non-standard and confusing. I'd like to know people's experience with this area and any advice if possible. thanks very much, Brian
RE: Authentication and Authorisation Newbie
Let me tell you.Learning JAAS sucks. But, now that I have spent 2 months learning it, I will tell you... First, read the JavaWorld.com document on JBossSX and JAAS. That is a start. But there are several things that confused the heck out of me. http://www.javaworld.com/javaworld/jw-08-2001/jw-0831-jaas.html If, after reading that document, you have any questions, email me. BTW, Are you going to use the DatabaseServerLoginModule? It is very easy. Also, email me and I will send you the files I have as an example of using DatabaseServerLoginModule -Original Message- From: Brian McSweeney [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 4:46 PM To: Struts Users Mailing List Subject: Authentication and Authorisation Newbie Hi all, I'm using JBoss and EJBs and struts as my web app. I've got some resources that are protected and for the moment I've written a Filter which protects them. However this may not be the best way to do this. I'm vaguely aware that J2EE can use JAAS and I can have things like roles and principles and that these can be propogated from the servlets to methods on the session facade and that this is probably the right way to go. However the limited bit of documentation that I've read on this seems very non-standard and confusing. I'd like to know people's experience with this area and any advice if possible. thanks very much, Brian Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication and Authorisation Newbie
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/basicportal/bP/WEB-INF/web.xml It at J2EE spec in web.xml, as above, with full working struts example source. .V Brian McSweeney wrote: Hi all, I'm using JBoss and EJBs and struts as my web app. I've got some resources that are protected and for the moment I've written a Filter which protects them. However this may not be the best way to do this. I'm vaguely aware that J2EE can use JAAS and I can have things like roles and principles and that these can be propogated from the servlets to methods on the session facade and that this is probably the right way to go. However the limited bit of documentation that I've read on this seems very non-standard and confusing. I'd like to know people's experience with this area and any advice if possible. thanks very much, Brian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication and Authorisation Newbie
incredibly nice of you Mike. Thanks so much, I'll read it over the weekend and mail you next week if I have problems. But before I start, once you understand JAAS, is it the right way to go in terms of authentication and authorisation? Is it worth the trouble I mean. thanks so much, Brian - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 04, 2003 4:00 PM Subject: RE: Authentication and Authorisation Newbie Let me tell you.Learning JAAS sucks. But, now that I have spent 2 months learning it, I will tell you... First, read the JavaWorld.com document on JBossSX and JAAS. That is a start. But there are several things that confused the heck out of me. http://www.javaworld.com/javaworld/jw-08-2001/jw-0831-jaas.html If, after reading that document, you have any questions, email me. BTW, Are you going to use the DatabaseServerLoginModule? It is very easy. Also, email me and I will send you the files I have as an example of using DatabaseServerLoginModule -Original Message- From: Brian McSweeney [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 4:46 PM To: Struts Users Mailing List Subject: Authentication and Authorisation Newbie Hi all, I'm using JBoss and EJBs and struts as my web app. I've got some resources that are protected and for the moment I've written a Filter which protects them. However this may not be the best way to do this. I'm vaguely aware that J2EE can use JAAS and I can have things like roles and principles and that these can be propogated from the servlets to methods on the session facade and that this is probably the right way to go. However the limited bit of documentation that I've read on this seems very non-standard and confusing. I'd like to know people's experience with this area and any advice if possible. thanks very much, Brian Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Authentication and Authorisation Newbie
Brian, You may want to look at other options. For example, although WLS 8.1 supports JAAS, they enourage the use of their entitlements system through their security SPI. You should check out JSR 115. Also, this is not a bad article: http://www.javaworld.com/javaworld/jw-09-2002/jw-0913-jaas.html I've been through similar experience as Mike below and found it confusing. For WLS 6.1 we need to extended JAAS as it wasn't completely support - no authorization - and so wrote some JAAS extensions to support an (Role Based Authorization) RBAC model. We're just working on designs now to see if we can deprecate in light of BEA's extensive security support with WLS 8.1. Hope that helps, Wayne Lund Accenture Global Architecture and Core Technologies, Seattle [EMAIL PROTECTED] (p:) 206.839.2169 (c:) 206 849-6867 (o:) 239/2168 Brian McSweeney [EMAIL PROTECTED] 04/04/2003 07:16 AM Please respond to Struts Users Mailing List To: Struts Users Mailing List [EMAIL PROTECTED] cc: Subject:Re: Authentication and Authorisation Newbie incredibly nice of you Mike. Thanks so much, I'll read it over the weekend and mail you next week if I have problems. But before I start, once you understand JAAS, is it the right way to go in terms of authentication and authorisation? Is it worth the trouble I mean. thanks so much, Brian - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 04, 2003 4:00 PM Subject: RE: Authentication and Authorisation Newbie Let me tell you.Learning JAAS sucks. But, now that I have spent 2 months learning it, I will tell you... First, read the JavaWorld.com document on JBossSX and JAAS. That is a start. But there are several things that confused the heck out of me. http://www.javaworld.com/javaworld/jw-08-2001/jw-0831-jaas.html If, after reading that document, you have any questions, email me. BTW, Are you going to use the DatabaseServerLoginModule? It is very easy. Also, email me and I will send you the files I have as an example of using DatabaseServerLoginModule -Original Message- From: Brian McSweeney [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 4:46 PM To: Struts Users Mailing List Subject: Authentication and Authorisation Newbie Hi all, I'm using JBoss and EJBs and struts as my web app. I've got some resources that are protected and for the moment I've written a Filter which protects them. However this may not be the best way to do this. I'm vaguely aware that J2EE can use JAAS and I can have things like roles and principles and that these can be propogated from the servlets to methods on the session facade and that this is probably the right way to go. However the limited bit of documentation that I've read on this seems very non-standard and confusing. I'd like to know people's experience with this area and any advice if possible. thanks very much, Brian Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How to do authentication in different way for different action classes
Hi Max, Thanks for a explaining this in great detail. Still I'm not able to solve my issue. Here is problem with more description : My current web.xml looks like : security-constraint web-resource-collection web-resource-nameCCO/web-resource-name url-pattern/login.do/url-pattern url-pattern/pim/requestAdmin.do/url-pattern http-methodDELETE/http-method http-methodPOST/http-method http-methodGET/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-namePublic Resources/web-resource-name url-pattern/pim/welcome.do/url-pattern /web-resource-collection /security-constraint login-config auth-methodBASIC/auth-method realm-nameCCO/realm-name /login-config But now authentication dialog pops up for welcome.do also. Do I missing something here ? Also one thing I want to mention here, we don't much care about role-name. Will that be a problem ? Thanks again, raju -Original Message- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 3:11 AM To: Struts Users Mailing List Subject: Re: How to do authentication in different way for different action classes That should work fine. /Content/*.do will still be considered an exact pattern, and will be matched before the *.do extension pattern (no matter what order they appear in the web.xml file). Only stuff that doesn't match /Content/*.do but does match *.do will be secured in the example. You could use the default mapping / to secure everything by default, and then explicitly make /Content/*.do and perhaps /images/*, /styles/*, etc. publicly available by adding url-patterns for them in the unsecured web-resource-collection. You can put more than one url-mapping element in a web-resource-collection, so it would be easy to do. The Servlet Spec Version 2.3, sections SRV.12 and SRV.11.1 define the matching behavior. They are pretty short and definitely worth a read for anyone doing security stuff. I wrote some security constraints before I read it, and I think I would have benefitted greatly from the short read had I done it first. Here are the most important parts (WITH MY OWN NOTES ADDED IN ALL CAPS; SORRY FOR SHOUTING :-0): Matching behavior for requests (from the servlet section, but the same rules are applied for checking url-patterns for security): 1. The container will try to find an exact match of the path of the request to the path of the servlet. A successful match selects the servlet. EXACT PATTERNS WILL BE TRIED FIRST 2. The container will recursively try to match the longest path-prefix: This is done by stepping down the path tree a directory at a time, using the '/' character as a path separator. The longest match determines the servlet selected. NOTE: 'longest' means the most path elements here -- '/a/b/c/d/*' is longer than '/onereallylongdirectoryname/*' THEN THE PATH PATTERNS WILL BE TRIED, STARTING WITH THE LONGEST ONES 3. If the last segment in the URL path contains an extension (e.g. .jsp), the servlet container will try to match a servlet that handles requests for the extension. An extension is defined as the part of the last segment after the last '.' character. THEN THE EXTENSION PATTERNS WILL BE TRIED 4. If neither of the previous three rules result in a servlet match, the container will attempt to serve content appropriate for the resource requested. If a default servlet is defined for the application, it will be used. AND FINALLY THE DEFAULT PATTERN WILL BE USED IF IT HAS BEEN SPECIFIED OTHERWISE, NO MATCH -- ALLOW THE REQUEST Classification rules for url-patterns in your web.xml file (path, extension, default, exact): 1. A string beginning with a '/' character and ending with a '/*' postfix is used for path mapping. PATH (INCLUDES '/*') 2. A string beginning with a '*.' prefix is used as an extension mapping. EXTENSION 3. A string containing only the '/' character indicates the default servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null. DEFAULT 4. All other strings are used for exact matches only. IF IT DOESN'T MATCH THE DEFINITIONS ABOVE, YOUR PATTERN IS AN EXACT PATTERN -Max - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 03, 2003 10:33 PM Subject: RE: How to do authentication in different way for different action classes Would this be valid then: security-constraint web-resource-collection web-resource-nameSecured Resources/web-resource-name url-pattern*.do/url-pattern /web-resource-collection auth-constraint role-namestrutsuser/role-name /auth-constraint /security-constraint security
Re: How to do authentication in different way for different action classes
Well, since it won't be protected under any of the other url-patterns, you could simply remove this security-constraint: security-constraint web-resource-collection web-resource-namePublic Resources/web-resource-name url-pattern/pim/welcome.do/url-pattern /web-resource-collection /security-constraint What server are you using? I am pretty sure we used a security-constraint with no roles associated with it to allow public access (no authentication required) on one of the projects I worked on with WebLogic 5.10 at one point. The spec is not crystal clear about how that should work, so it is possible that different servers have implemented it differently. I am not sure about this, but I wonder if some servers assume that even unathenticated users are in some 'everybody' or 'guest' group. If that is the case (and I am not sure if it is), you might be able to require that role for the items you want to be public. Some/all servers require that you list out the roles that are relevant for your application in the web.xml with sections like this: security-role descriptionarole/description role-namearole/role-name /security-role Then when you specify role-name*role-name, I think it will try all the roles listed in web.xml to see if the user has any of them. Your users will need to have one of the roles to be able to access the protected resources. But the removing the security-constraint above should take care of your current issue. Hope that helps, -Max - Original Message - From: Rajendra Kadam [EMAIL PROTECTED] To: 'Struts Users Mailing List' [EMAIL PROTECTED] Sent: Friday, April 04, 2003 11:08 AM Subject: RE: How to do authentication in different way for different action classes Hi Max, Thanks for a explaining this in great detail. Still I'm not able to solve my issue. Here is problem with more description : My current web.xml looks like : security-constraint web-resource-collection web-resource-nameCCO/web-resource-name url-pattern/login.do/url-pattern url-pattern/pim/requestAdmin.do/url-pattern http-methodDELETE/http-method http-methodPOST/http-method http-methodGET/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-name*/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-namePublic Resources/web-resource-name url-pattern/pim/welcome.do/url-pattern /web-resource-collection /security-constraint login-config auth-methodBASIC/auth-method realm-nameCCO/realm-name /login-config But now authentication dialog pops up for welcome.do also. Do I missing something here ? Also one thing I want to mention here, we don't much care about role-name. Will that be a problem ? Thanks again, raju -Original Message- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Friday, April 04, 2003 3:11 AM To: Struts Users Mailing List Subject: Re: How to do authentication in different way for different action classes That should work fine. /Content/*.do will still be considered an exact pattern, and will be matched before the *.do extension pattern (no matter what order they appear in the web.xml file). Only stuff that doesn't match /Content/*.do but does match *.do will be secured in the example. You could use the default mapping / to secure everything by default, and then explicitly make /Content/*.do and perhaps /images/*, /styles/*, etc. publicly available by adding url-patterns for them in the unsecured web-resource-collection. You can put more than one url-mapping element in a web-resource-collection, so it would be easy to do. The Servlet Spec Version 2.3, sections SRV.12 and SRV.11.1 define the matching behavior. They are pretty short and definitely worth a read for anyone doing security stuff. I wrote some security constraints before I read it, and I think I would have benefitted greatly from the short read had I done it first. Here are the most important parts (WITH MY OWN NOTES ADDED IN ALL CAPS; SORRY FOR SHOUTING :-0): Matching behavior for requests (from the servlet section, but the same rules are applied for checking url-patterns for security): 1. The container will try to find an exact match of the path of the request to the path of the servlet. A successful match selects the servlet. EXACT PATTERNS WILL BE TRIED FIRST 2. The container will recursively try to match the longest path-prefix: This is done by stepping down the path tree a directory at a time, using the '/' character as a path separator. The longest match determines the servlet selected. NOTE: 'longest' means the most path elements here -- '/a/b/c/d/*' is longer than '/onereallylongdirectoryname/*' THEN THE PATH PATTERNS
How to do authentication in different way for different action classes
Hi, In our application, I don't want to do authentication to first action class ( welcome.do ) But at the same time, I want to do authetication for all other action classes. Initally my web.xml was looking like this servlet servlet-nameaction/servlet-name servlet-classorg.apache.struts.action.ActionServlet/servlet-class .. /servlet servlet-mapping servlet-nameaction/servlet-name url-pattern*.do/url-pattern /servlet-mapping But the disadvantage of doing this way, is that Authentication Dialog box comes up for welcome.do also. Which I don't want. Hence right now I'm putting all action classes for which authentication is required into url-pattern as shown below : servlet-mapping servlet-nameaction/servlet-name url-pattern/abc.do/url-pattern url-pattern/xya.do/url-pattern url-pattern/sdabc.do/url-pattern .. /servlet-mapping Since I had not mentioned, welcome.do in above place, it doesn't do authentication for it. Dis-advantage of doing this is everytime I added new Action class, I have to make the entry into this url-pattern. Is there any better way of doing this ? TIA, raju
