You might not want to tell users what was wrong for security reasons. If they type a username/password and can get a "username invalid" or "password invalid" error, they will know when they have guessed a good username. "passwords can only contain letters and digits", etc. also give away information that you may want to protect. This may not be a major concern, but it is good to be aware of such issues.
Assuming the info give-away from the specialized error messages is not a significant concern, you could have a Struts Action as the error page. It will populate an ActionForm, do validation, etc. It would be a second check (inefficient) but you wouldn't have to modify (and maintain your modification to) SecurityFilter to do it. Perhaps some sort of error type system could be setup in SecurityFilter. It would require changes/additions to the realm interface, but perhaps it is worth it for this added functionality. It might be nice to incorporate support for rules like "you have to change your password every X days", etc. as well. -Max ----- Original Message ----- From: "Curtney Jacobs" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Friday, January 10, 2003 7:19 AM Subject: Security Filter and ActionForm > Greetings!! > > I have a login ActionForm (LogInForm) and a associated login Action class > (LogInAction). When the form is submitted, the request is intercepted by a > Security Filter. The Security filter authenticates and perform necessary > authorization checks on the user via a ldap server. > > If the user authentication fails, let say because of an invalid password, how > can I use my ActionForm (LogInForm) to indicate this error to the user? > > I am aware that the Struts ActionForm and Action have not even been > instantiated/intitialize, since the security filter intercepted the request. > > I have thought of setting an attribute in the request scope, for example, an > "invalid flag" that the ActionForm validate method can check for. This will > then trigger the display of the login form and asociated error message to the > user. > > I am not sure if the above is good practice :( > > Any suggestions or comments will be much appreciated. > > Curtney Jacobs > -- > U-Interface.com > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
