I apologize Craig, you did explain this but not in this much detail. I wasn't aware of the solution of protecting all *.do URLs with a role of * (or as you suggest a group everyone is in) and then doing finer grained security with Struts. That makes a lot of sense, thank you for clarifying that!
Michael > -----Original Message----- > From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] > Sent: Monday, August 26, 2002 5:09 PM > To: Struts Users Mailing List > Subject: Re: Status of Struts integration with container > managed security and alternatives > > > I did answer your question ... maybe you missed it. > > The roles attribute on an Action element will *not* (by > itself) trigger a container-managed login. You must also > protect *all* URLs with an appropriate security constraint > (mapped to *.do, for example) that forces login but allows > everyone in. This means either using a role that all users > possess, or (Servlet 2.3 only) using a role-name of "*" in > the security constraint. > > The only purpose of the roles attribute on an <action> is to > allow you to specify finer-grained restrictions on who can > execute each particular action, without having to maintain > separate entries for each action in struts-config.xml and web.xml. > > Craig > > On Mon, 26 Aug 2002, Michael wrote: > > > Date: Mon, 26 Aug 2002 09:23:13 +0200 > > From: Michael <[EMAIL PROTECTED]> > > Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]> > > To: Struts Users Mailing List <[EMAIL PROTECTED]> > > Subject: Status of Struts integration with container > managed security and > > alternatives > > > > I've recently played with the container managed security of J2EE > > (using > > Tomcat) and the attempt at integrating it into Struts 1.1. > I see that a > > "roles" attribute has been added to the "action" tag in the struts > > config XML file. The problem is with tag is that it > doesn't work. I > > posted a couple questions about this and didn't get much of > a response > > so my impression is no one is using this feature. So my > question is any > > work being done on this? And what are the alternatives? I > know I can > > protect the actions using the normal J2EE container managed security > > mechanism. The only problem I see with that is that I now > have to keep > > the actions in my struts config xml file in sync with the > actions in my > > web.xml file. Are there any other solutions? > > > > Michael > > > > > > -- > > To unsubscribe, e-mail: > <mailto:struts-user-> [EMAIL PROTECTED]> > > For > additional commands, > e-mail: > > <mailto:[EMAIL PROTECTED]> > > > > > > > -- > To unsubscribe, e-mail: > <mailto:struts-user-> [EMAIL PROTECTED]> > For > additional commands, > e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>