RE: security struts action servlet
I'm only using servlet 2.3. I wrote a filter and tried that out but I couldn't ever detect the /pages/* context. All I could see was index.jsp and /welcome.do. Shawn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig McClanahan Sent: Friday, February 10, 2006 2:35 PM To: Struts Users Mailing List Subject: Re: security struts action servlet On 2/10/06, Garner, Shawn <[EMAIL PROTECTED]> wrote: > > Sorry, that's what I meant. It's a forward. Not a redirect. > > How do I apply my security to /pages/* in this case? If you are talking about container managed security, you cannot ... you'll have to use a redirect. If you are using some other security technology that is based on servlet filters, AND if you are on Servlet 2.4 or later, you can set up your filter mapping to operate on forwards as well as the initial request. MySecurityFilter /* REQUEST FORWARD Shawn Craig -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig > McClanahan > Sent: Friday, February 10, 2006 1:35 PM > To: Struts Users Mailing List > Subject: Re: security struts action servlet > > On 2/10/06, Garner, Shawn <[EMAIL PROTECTED]> wrote: > > > > I was messing around with security in the web.xml and tried to implement > > authorization restrictions with the struts-blank.war. > > > > I put restrictions on the /pages/* directory. > > > > Funny thing is that it seems that since the index.jsp does a redirect to > > the > > pages directory and the action servlet does the mapping from welcome.doto > > /pages/Welcome.jsp that I am not prompted for a username and password. > > > Are you sure it's doing a redirect? If this were a forward, the symptom > you > described would be the expected behavior, since security constraints are > only applied on the original request. > > Craig > > But if I literally type in /pages/Welcome.jsp into the browser it prompts > me > > for a password. > > > > I read the servlet api but I couldn't find much to do with servlet > > security. > > > > > > > > I wasn't sure how to get my action servlet to obey the /pages/* security > > rule too. > > > > > > > > Any help? > > > > > > > > Shawn > > > > > > > > > > > > This email may contain confidential material. > > If you were not an intended recipient, > > Please notify the sender and delete all copies. > > We may monitor email to and from our network. > > > > > > > > > > > > > > This email may contain confidential material. > If you were not an intended recipient, > Please notify the sender and delete all copies. > We may monitor email to and from our network. > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > This email may contain confidential material. If you were not an intended recipient, Please notify the sender and delete all copies. We may monitor email to and from our network. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security struts action servlet
On 2/10/06, Garner, Shawn <[EMAIL PROTECTED]> wrote: > > Sorry, that's what I meant. It's a forward. Not a redirect. > > How do I apply my security to /pages/* in this case? If you are talking about container managed security, you cannot ... you'll have to use a redirect. If you are using some other security technology that is based on servlet filters, AND if you are on Servlet 2.4 or later, you can set up your filter mapping to operate on forwards as well as the initial request. MySecurityFilter /* REQUEST FORWARD Shawn Craig -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig > McClanahan > Sent: Friday, February 10, 2006 1:35 PM > To: Struts Users Mailing List > Subject: Re: security struts action servlet > > On 2/10/06, Garner, Shawn <[EMAIL PROTECTED]> wrote: > > > > I was messing around with security in the web.xml and tried to implement > > authorization restrictions with the struts-blank.war. > > > > I put restrictions on the /pages/* directory. > > > > Funny thing is that it seems that since the index.jsp does a redirect to > > the > > pages directory and the action servlet does the mapping from welcome.doto > > /pages/Welcome.jsp that I am not prompted for a username and password. > > > Are you sure it's doing a redirect? If this were a forward, the symptom > you > described would be the expected behavior, since security constraints are > only applied on the original request. > > Craig > > But if I literally type in /pages/Welcome.jsp into the browser it prompts > me > > for a password. > > > > I read the servlet api but I couldn't find much to do with servlet > > security. > > > > > > > > I wasn't sure how to get my action servlet to obey the /pages/* security > > rule too. > > > > > > > > Any help? > > > > > > > > Shawn > > > > > > > > > > > > This email may contain confidential material. > > If you were not an intended recipient, > > Please notify the sender and delete all copies. > > We may monitor email to and from our network. > > > > > > > > > > > > > > This email may contain confidential material. > If you were not an intended recipient, > Please notify the sender and delete all copies. > We may monitor email to and from our network. > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
RE: security struts action servlet
Sorry, that's what I meant. It's a forward. Not a redirect. How do I apply my security to /pages/* in this case? Shawn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig McClanahan Sent: Friday, February 10, 2006 1:35 PM To: Struts Users Mailing List Subject: Re: security struts action servlet On 2/10/06, Garner, Shawn <[EMAIL PROTECTED]> wrote: > > I was messing around with security in the web.xml and tried to implement > authorization restrictions with the struts-blank.war. > > I put restrictions on the /pages/* directory. > > Funny thing is that it seems that since the index.jsp does a redirect to > the > pages directory and the action servlet does the mapping from welcome.do to > /pages/Welcome.jsp that I am not prompted for a username and password. Are you sure it's doing a redirect? If this were a forward, the symptom you described would be the expected behavior, since security constraints are only applied on the original request. Craig But if I literally type in /pages/Welcome.jsp into the browser it prompts me > for a password. > > I read the servlet api but I couldn't find much to do with servlet > security. > > > > I wasn't sure how to get my action servlet to obey the /pages/* security > rule too. > > > > Any help? > > > > Shawn > > > > > This email may contain confidential material. > If you were not an intended recipient, > Please notify the sender and delete all copies. > We may monitor email to and from our network. > > > > This email may contain confidential material. If you were not an intended recipient, Please notify the sender and delete all copies. We may monitor email to and from our network. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security struts action servlet
On 2/10/06, Garner, Shawn <[EMAIL PROTECTED]> wrote: > > I was messing around with security in the web.xml and tried to implement > authorization restrictions with the struts-blank.war. > > I put restrictions on the /pages/* directory. > > Funny thing is that it seems that since the index.jsp does a redirect to > the > pages directory and the action servlet does the mapping from welcome.do to > /pages/Welcome.jsp that I am not prompted for a username and password. Are you sure it's doing a redirect? If this were a forward, the symptom you described would be the expected behavior, since security constraints are only applied on the original request. Craig But if I literally type in /pages/Welcome.jsp into the browser it prompts me > for a password. > > I read the servlet api but I couldn't find much to do with servlet > security. > > > > I wasn't sure how to get my action servlet to obey the /pages/* security > rule too. > > > > Any help? > > > > Shawn > > > > > This email may contain confidential material. > If you were not an intended recipient, > Please notify the sender and delete all copies. > We may monitor email to and from our network. > > > >
security struts action servlet
I was messing around with security in the web.xml and tried to implement authorization restrictions with the struts-blank.war. I put restrictions on the /pages/* directory. Funny thing is that it seems that since the index.jsp does a redirect to the pages directory and the action servlet does the mapping from welcome.do to /pages/Welcome.jsp that I am not prompted for a username and password. But if I literally type in /pages/Welcome.jsp into the browser it prompts me for a password. I read the servlet api but I couldn't find much to do with servlet security. I wasn't sure how to get my action servlet to obey the /pages/* security rule too. Any help? Shawn This email may contain confidential material. If you were not an intended recipient, Please notify the sender and delete all copies. We may monitor email to and from our network.
