Michael, Have you tried accessing /test1.jsp first to get authenticated?
The 400 error indicates that the resource was not found. 403 is the error code for "not authorized". I have noticed that you can get 400 errors if there is a FileNotFoundException thrown while handling the request, even if the request mapped to a "real" resource like a Struts action. You might need to make the request for /login.do (rather than simply /login) depending on how your ActionServlet is mapped. I am not sure how much value the roles attribute for an action has if it can't invoke the authentication sequence (i.e. send you to the login page, and get you back to your original request). It seems you would have to duplicate the settings with url-mappings in web.xml to get the just-in-time authentication that you probably want. At that point, there doesn't seem to be any reason to duplicate the role requirement in struts-config.xml (and the downside that you would have to maintain the information in two places). On the other hand, it might be useful to specify the roles in struts-config.xml because it is easier for the action implementor to specify them there. If you had a script that would then read the struts-config.xml to produce matching settings in web.xml, it might be of value. Also, watch out for specifying http-methods in web.xml, as the settings won't match if the request is using a different method. This might be okay if you want to ONLY allow GETs and POSTs and block access to everything else with another security-constraint like this: <security-constraint> <web-resource-collection> <web-resource-name>Block all requests not specifically granted by other constraints</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name></role-name> </auth-constraint> </security-constraint> Watch out, though, as this "no access" constraint will be matched before any "extension mappings" like *.do or *.jsp. Exact patterns like /test1.jsp and longer path patterns like /auth/* will be evaluated first, however. -Max ----- Original Message ----- From: "Michael" <[EMAIL PROTECTED]> To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]> Sent: Thursday, August 22, 2002 12:58 AM Subject: RE : Specifying roles for actions > > You will most likely want to use a <security-constraint> and an > > <auth-method> in your web.xml file if you want the container to > > authenticate users automatically. The "roles" attribute in > > struts-config.xml lets you impose additional restrictions above and > beyond > > whatever is set up in web.xml, but doesn't have any way to trigger > > authentication in the first place. > > I do in fact have this in my web.xml file. In fact for the test1.jsp > it's working properly. So after this I add the "roles" to the action > but the action gives me the error.. > > Web.xml > > <security-constraint> > <web-resource-collection> > <web-resource-name>Test 1</web-resource-name> > <url-pattern>/test1.jsp</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>idtect_readonly</role-name> > </auth-constraint> > </security-constraint> > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>Idtect OEM Server</realm-name> > </login-config> > > <security-role> > <role-name>idtect_readonly</role-name> > </security-role> > > Struts_config.xml > > <!-- Process a user logon --> > <action path="/login" > type="com.idtect.oemserver.web.LoginAction" > name="loginForm" > scope="request" > input="/login.jsp" > roles="idtect_readonly">> > > I get the following error: > > HTTP Status 400 - User is not authorized to access action /login > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>