thanks max. Now I have done it this way: I have a struts login form which submits to a LoginAction. There I check the user from a db and store the data in a session. The LoginAction forwards to the main page which is secured. SecurityFilter looks now for a file which I titled j_security_check.jsp. This file is an ordinary html form which submits automatically using javascript. the input types are therefore hidden. This works like a charm.
However, I have a second application which uses frames. I tried to apply the above pattern the same way and surprisingly it only works the first time a user logs in. after that, if a user logs in (it does not matter if it is the same user or not) I get a NullPointerException caused by the RealmClass (which is extended from SimpleRealmBase...) in method isUserInRole. I traced it and found out that the username is null. But if you reload the page everything works... it is strange. I guess this has something to do with the second isUserInRole method were the principal is checked against null, and if it is not, the username gets populated. any idea max? thx, Dirk -----Ursprüngliche Nachricht----- Von: Max Cooper [mailto:[EMAIL PROTECTED] Gesendet: Freitag, 30. Januar 2004 22:24 An: Struts Users Mailing List Betreff: Re: SecurityFilter with Struts Oops, this isn't entirely true: "There is no way to call an Action during the authentication process." You can have your login page be an action (/login.do) -- I just meant that you can't execute an action when that page is submitted. In other words, you can't process the login request with an Action, or have an Action do additional authentication-time processing when the login page is submitted. -Max ----- Original Message ----- From: "Max Cooper" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Friday, January 30, 2004 1:19 PM Subject: Re: SecurityFilter with Struts > Use a regular form tag for the login page. The form will not be submitted to > a Struts action but rather it will be processed by the filter. There is no > way to call an Action during the authentication process. This is very > similar to how container-managed security works. > > One difference between container security and SecurityFilter is that you can > specify a "default" page to send the user to after they login, if they > arrive at the login page on their own. Normally, users are automatically > sent to the login page by the filter (just like container security) when > they try to access a page they need to be authenticated for. If that is the > case, SecurityFilter will redirect them to the page they were going to after > they are authenticated: > > SCENARIO 1: User goes directly to login page: > > GET /login.jsp > POST /j_security_check > (server redirects user to the configured "default" page -- /defaultPage.do > in this example) > GET /defaultPage.do > > SCENARIO 2: Filter sends user to login page > > GET /mustBeLoggedInToSeeThisPage.do > (server redirects to /login.jsp) > GET /login.jsp > POST /j_security_check > (server redirects to /mustBeLoggedInToSeeThisPage.do) > GET /mustBeLoggedInToSeeThisPage.do > > -Max > > ----- Original Message ----- > From: "Dirk Manske (Service Respond)" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, January 30, 2004 6:00 AM > Subject: SecurityFilter with Struts > > > > Hi, > > > > I try to integrate SecurityFilter 1.1 in my struts app. I understand that > I > > have to use "j_security_check" in my form action to setup SecurityFilter. > > But how does it work within a <html:form>? Because "j_security_check" > always > > gets populated to "j_security_check.do" the SecurityFilter will never be > > called!? So how should my login.jsp be designed to pass "j_security_check" > > and after this forward to an struts action class? > > > > any idea? > > > > thanks, > > > > Dirk > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
