Michael,
Have you tried accessing /test1.jsp first to get authenticated?
The 400 error indicates that the resource was not found. 403 is the error
code for "not authorized". I have noticed that you can get 400 errors if
there is a FileNotFoundException thrown while handling the request, even if
the request mapped to a "real" resource like a Struts action.
You might need to make the request for /login.do (rather than simply /login)
depending on how your ActionServlet is mapped.
I am not sure how much value the roles attribute for an action has if it
can't invoke the authentication sequence (i.e. send you to the login page,
and get you back to your original request). It seems you would have to
duplicate the settings with url-mappings in web.xml to get the just-in-time
authentication that you probably want. At that point, there doesn't seem to
be any reason to duplicate the role requirement in struts-config.xml (and
the downside that you would have to maintain the information in two places).
On the other hand, it might be useful to specify the roles in
struts-config.xml because it is easier for the action implementor to specify
them there. If you had a script that would then read the struts-config.xml
to produce matching settings in web.xml, it might be of value.
Also, watch out for specifying http-methods in web.xml, as the settings
won't match if the request is using a different method. This might be okay
if you want to ONLY allow GETs and POSTs and block access to everything else
with another security-constraint like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Block all requests not specifically granted by
other constraints</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name></role-name>
</auth-constraint>
</security-constraint>
Watch out, though, as this "no access" constraint will be matched before any
"extension mappings" like *.do or *.jsp. Exact patterns like /test1.jsp and
longer path patterns like /auth/* will be evaluated first, however.
-Max
----- Original Message -----
From: "Michael" <[EMAIL PROTECTED]>
To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]>
Sent: Thursday, August 22, 2002 12:58 AM
Subject: RE : Specifying roles for actions
> > You will most likely want to use a <security-constraint> and an
> > <auth-method> in your web.xml file if you want the container to
> > authenticate users automatically. The "roles" attribute in
> > struts-config.xml lets you impose additional restrictions above and
> beyond
> > whatever is set up in web.xml, but doesn't have any way to trigger
> > authentication in the first place.
>
> I do in fact have this in my web.xml file. In fact for the test1.jsp
> it's working properly. So after this I add the "roles" to the action
> but the action gives me the error..
>
> Web.xml
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Test 1</web-resource-name>
> <url-pattern>/test1.jsp</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>idtect_readonly</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Idtect OEM Server</realm-name>
> </login-config>
>
> <security-role>
> <role-name>idtect_readonly</role-name>
> </security-role>
>
> Struts_config.xml
>
> <!-- Process a user logon -->
> <action path="/login"
> type="com.idtect.oemserver.web.LoginAction"
> name="loginForm"
> scope="request"
> input="/login.jsp"
> roles="idtect_readonly">>
>
> I get the following error:
>
> HTTP Status 400 - User is not authorized to access action /login
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
