Re: Struts 2 Container Security problem
I installed the latest fix pack for WebSphere, bringing my version up to 6.1.0.21 and it did the trick. The Web container authentication now works as I expected it to. Thanks for the feedback. Pete. pblatner wrote: > > I don't see how this fix applies to the problem I mentioned below: > http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg1PK31377 > > The text there doesn't say anything about resolving an issue where > WebSphere doesn't seem to be recognizing servlet filters as resources to > secure using web container authentication. > > > Musachy Barroso wrote: >> >> Just as a reference, there is a ticket open for this: >> >> https://issues.apache.org/struts/browse/WW-2642 >> >> musachy >> >> On Mon, Mar 16, 2009 at 5:37 PM, Struts Two wrote: >>> >>> There is a problem running Struts 2.1.6 on Websphere when security is >>> enabled. The case happens when url is an action not a resource like jsp >>> or html. Refer to JIRA WW-2642 that I opened almost a year ago. >>> >>> I was hoping that Apache group can get their hands on Websphere to >>> verify the issue but it seems like a distant probability as I have not >>> heard any news on that for sometime. >>> >>> But on the bright site, there may be some good news on this soon. As I >>> had to locate WAS L3 support in person and I am working with them on >>> this issue [though the pace is slow]. >>> >>> Also keep in mind, the same issue exists on WAS 7.0.0.1 with a slight >>> variation. If this is determined to be a Websphere problem with WAS 6.1. >>> Then I have a stronger case to press issue for WAS 7.0. >>> >>> --- On Mon, 3/16/09, pblatner wrote: >>> >>>> From: pblatner >>>> Subject: Re: Struts 2 Container Security problem >>>> To: user@struts.apache.org >>>> Received: Monday, March 16, 2009, 9:05 PM >>>> >>>> I have tried to do the exact thing that Jeromy suggests >>>> below with 2 >>>> packages. And then in the web.xml specify a security >>>> constraint with the >>>> URL pattern "/protected/*". After doing so, I am not >>>> getting the result >>>> that I think I should be. >>>> >>>> When issuing a request for my action at >>>> "http://localhost/MyApp/protected/HomeAction";, the >>>> container is not >>>> intercepting and challenging me with my logon.html page. >>>> >>>> Anyone know why this isn't working? >>>> >>>> The struts 2 servlet-filter pattern is "/*".. It seems >>>> pretty obvious that >>>> the struts 2 servlet filter is responding to the first part >>>> of the URL: >>>> "http://localhost/MyApp/*"; and the container isn't >>>> seeing that as a secured >>>> resource. >>>> >>>> Am I missing a configuration pattern somewhere that tells >>>> the container to >>>> inspect the full URL before allowing the servlet filter to >>>> process it? >>>> >>>> My deployment environment is WebSphere 6.1. Are there >>>> any incompatibilities >>>> between WebSphere 6.1 and struts 2 that could be causing >>>> this? >>>> >>>> Thanks, >>>> Pete. >>>> >>>> >>>> Jeromy Evans - Blue Sky Minds wrote: >>>> > >>>> > In struts.xml, the namespace given to your package >>>> needs be in >>>> > /protected as well. >>>> > eg. >>> namespace="/protected"> >>>> > Otherwise, as you've seen, it's available in the root >>>> of the >>>> > application's context path. >>>> > >>>> > I usually split my struts2 application into at least >>>> two packages: >>>> > ... >>>> > >>>> > >>>> >>>> -- >>>> View this message in context: >>>> http://www.nabble.com/Struts-2-Container-Security-problem-tp15571409p22547426.html >>>> Sent from the Struts - User mailing list archive at >>>> Nabble.com. >>>> >>>> >>>> - >>>> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >>>> For additional commands, e-mail: user-h...@struts.apache.org >>>> >>>> >>> >>> >>> __ >>> Instant Messaging, free SMS, sharing photos and more... Try the new >>> Yahoo! Canada Messenger at http://ca.beta.messenger.yahoo.com/ >>> >>> >>> - >>> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >>> For additional commands, e-mail: user-h...@struts.apache.org >>> >>> >> >> >> >> -- >> "Hey you! Would you help me to carry the stone?" Pink Floyd >> >> - >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >> >> > > -- View this message in context: http://www.nabble.com/Struts-2-Container-Security-problem-tp15571409p22568026.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2 Container Security problem
I don't see how this fix applies to the problem I mentioned below: http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg1PK31377 The text there doesn't say anything about resolving an issue where WebSphere doesn't seem to be recognizing servlet filters as resources to secure using web container authentication. Musachy Barroso wrote: > > Just as a reference, there is a ticket open for this: > > https://issues.apache.org/struts/browse/WW-2642 > > musachy > > On Mon, Mar 16, 2009 at 5:37 PM, Struts Two wrote: >> >> There is a problem running Struts 2.1.6 on Websphere when security is >> enabled. The case happens when url is an action not a resource like jsp >> or html. Refer to JIRA WW-2642 that I opened almost a year ago. >> >> I was hoping that Apache group can get their hands on Websphere to verify >> the issue but it seems like a distant probability as I have not heard any >> news on that for sometime. >> >> But on the bright site, there may be some good news on this soon. As I >> had to locate WAS L3 support in person and I am working with them on this >> issue [though the pace is slow]. >> >> Also keep in mind, the same issue exists on WAS 7.0.0.1 with a slight >> variation. If this is determined to be a Websphere problem with WAS 6.1. >> Then I have a stronger case to press issue for WAS 7.0. >> >> --- On Mon, 3/16/09, pblatner wrote: >> >>> From: pblatner >>> Subject: Re: Struts 2 Container Security problem >>> To: user@struts.apache.org >>> Received: Monday, March 16, 2009, 9:05 PM >>> >>> I have tried to do the exact thing that Jeromy suggests >>> below with 2 >>> packages. And then in the web.xml specify a security >>> constraint with the >>> URL pattern "/protected/*". After doing so, I am not >>> getting the result >>> that I think I should be. >>> >>> When issuing a request for my action at >>> "http://localhost/MyApp/protected/HomeAction";, the >>> container is not >>> intercepting and challenging me with my logon.html page. >>> >>> Anyone know why this isn't working? >>> >>> The struts 2 servlet-filter pattern is "/*".. It seems >>> pretty obvious that >>> the struts 2 servlet filter is responding to the first part >>> of the URL: >>> "http://localhost/MyApp/*"; and the container isn't >>> seeing that as a secured >>> resource. >>> >>> Am I missing a configuration pattern somewhere that tells >>> the container to >>> inspect the full URL before allowing the servlet filter to >>> process it? >>> >>> My deployment environment is WebSphere 6.1. Are there >>> any incompatibilities >>> between WebSphere 6.1 and struts 2 that could be causing >>> this? >>> >>> Thanks, >>> Pete. >>> >>> >>> Jeromy Evans - Blue Sky Minds wrote: >>> > >>> > In struts.xml, the namespace given to your package >>> needs be in >>> > /protected as well. >>> > eg. >> namespace="/protected"> >>> > Otherwise, as you've seen, it's available in the root >>> of the >>> > application's context path. >>> > >>> > I usually split my struts2 application into at least >>> two packages: >>> > ... >>> > >>> > >>> >>> -- >>> View this message in context: >>> http://www.nabble.com/Struts-2-Container-Security-problem-tp15571409p22547426.html >>> Sent from the Struts - User mailing list archive at >>> Nabble.com. >>> >>> >>> - >>> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >>> For additional commands, e-mail: user-h...@struts.apache.org >>> >>> >> >> >> __ >> Instant Messaging, free SMS, sharing photos and more... Try the new >> Yahoo! Canada Messenger at http://ca.beta.messenger.yahoo.com/ >> >> >> - >> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org >> For additional commands, e-mail: user-h...@struts.apache.org >> >> > > > > -- > "Hey you! Would you help me to carry the stone?" Pink Floyd > > - > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > > > -- View this message in context: http://www.nabble.com/Struts-2-Container-Security-problem-tp15571409p22562774.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Struts 2 Container Security problem
I have tried to do the exact thing that Jeromy suggests below with 2 packages. And then in the web.xml specify a security constraint with the URL pattern "/protected/*". After doing so, I am not getting the result that I think I should be. When issuing a request for my action at "http://localhost/MyApp/protected/HomeAction";, the container is not intercepting and challenging me with my logon.html page. Anyone know why this isn't working? The struts 2 servlet-filter pattern is "/*". It seems pretty obvious that the struts 2 servlet filter is responding to the first part of the URL: "http://localhost/MyApp/*"; and the container isn't seeing that as a secured resource. Am I missing a configuration pattern somewhere that tells the container to inspect the full URL before allowing the servlet filter to process it? My deployment environment is WebSphere 6.1. Are there any incompatibilities between WebSphere 6.1 and struts 2 that could be causing this? Thanks, Pete. Jeromy Evans - Blue Sky Minds wrote: > > In struts.xml, the namespace given to your package needs be in > /protected as well. > eg. > Otherwise, as you've seen, it's available in the root of the > application's context path. > > I usually split my struts2 application into at least two packages: > ... > > -- View this message in context: http://www.nabble.com/Struts-2-Container-Security-problem-tp15571409p22547426.html Sent from the Struts - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org