Leandro, your tenacity is inspiring. Keep working at it.
The "final" solution for me (which is, of course, never final) is programming my own role-based security within the confines of my application, combined with an Apache web server that serves as a gateway to my application server, presiding over things like SSL/aliases/rewrites/redirects, and serving static content such as images. So, I am currently not using J2EE container-managed security in any of my applications. Maybe I'm behind the times.
You are a smart enough guy that you shouldn't worry so much about whether you are doing everything the "right" way, in my opinion. Get out the old sketch pad and a pencil, and plan out your application from end to end. What are the security requirements? If you don't see an out-of-the-box way to address them, write code that meets them.
Get a good (very general) book on security (not another Java book). Something by Bruce Schneier would be a good place to start.
As for your questions:
Leandro Melo wrote:
The setup code should be simple and straightforward if your applicaton's "middle" layer is properly developed. Something like this:Hi, i've been trying for days to make this thing work. I googled the web for many tutorials and documentation, i read Scot Stark review, and lot other stuff.
Unfortunatelly, i guess i didn't make a good search right here on the struts mail archive. I if i've done i'd have found this very explanatory discussion (by Erik, Craig and others).
http://www.mail-archive.com/[EMAIL PROTECTED]/msg07533.html
Maybe it was because of english interpretation problems, by i couln't still figure out (in the earlier posts) what Erik was trying to tell me, but now i do understand!!!
Erik, now i'd like to now if could work out a "final" solution for your problem? From one of your last posts, i remember you saying that you haven't worked on the "security integration between Tomcat and JBoss", so i'd guess you're still working with the j_security_check thing, aren't you?
If you're still sticked with the j_security_check action, i have one question number 1 for your, but if you're not working with j_security_check anymore and found out a better work around, i have question number 2 for you.
1 - Suupose a user ruquests page
http://www.EriksApp/someOtherPage.jsp of your
application instead of requestion the
http://www.EriksApp/index.jsp (or just
http://www.EriksApp). First, the user will be
redirected to the login page (assume that all your
application is secure). Second, if login was
sucessful, he'll be redirected to
http://www.EriksApp/someOtherPage.jsp
and NOT to http://www.EriksApp/index.jsp, because
Tomcat saved that first request. But I'd like to have
a forward to SetStuffAction.do in my index.jsp, so i
can set user information in this SetStuffAction.do.
But if the user is redirected to
http://www.EriksApp/someOtherPage.jsp instead of http://www.EriksApp/index.jsp, he/she will bypass that
step and won't get their stuff set. How do you "solve"
this (a filter, or something else)???
. . . //get username using request.getCallerPrincipal, perhaps UserManager manager = new UserManager(); Collection userInfo = manager.getUserInfo(username); session.setAttribute(USER_INFO_KEY, userInfo); . . .
A filter sounds reasonable enough to me. Or a custom RequestProcessor. Or a base Action class.
If you mean, if I get a Struts-specific login form working with container-managed security in JBoss/Tomcat -- yes, if I accomplish that, I will share it.2 - Well, if you get the whole thing working without the j_security_check thing and with a "logonAction", would it be possible for you to send me some code???
Erik
Thank you very much, Leandro.
_______________________________________________________
Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade! http://br.acesso.yahoo.com/
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]