Don't put anything in struts-config, in web.xml, put:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp?error=true</form-error-page>
</form-login-config>
</login-config>
You can use whatever code you like in login.jsp, here's mine as an example:
<%@ include file="/common/taglibs.jsp"%>
<tiles:insert definition=".login" flush="true"/>
So you can see it uses Tiles - here's my .login definition:
<!-- Login Page definition -->
<definition name=".login" extends="baseLayout">
<put name="titleKey" value="login.title"/>
<put name="headingKey" value="login.heading"/>
<put name="menu" value="/menu.html"/>
<put name="content" value="/WEB-INF/pages/login.jsp"/>
</definition>
Where /pages/login.jsp is:
<%@ include file="/common/taglibs.jsp"%>
<div id="loginTable">
<form method="post" id="loginForm" action="j_security_check">
<table width="100%">
<tr>
<td colspan="2">
<c:if test="${param.error != null}">
<div class="error"
style="margin-right: 0; margin-bottom: 3px; margin-top:
3px">
<html:img pageKey="icon.warning.img"
altKey="icon.warning" styleClass="icon"/>
<fmt:message key="errors.password.mismatch"/>
</div>
</c:if>
</td>
</tr>
<tr>
<th>
<label for="j_username" class="required">
<fmt:message key="label.username"/>*:
</label>
</th>
<td>
<input type="text" name="j_username" id="j_username" size="25"
/>
</td>
</tr>
<tr>
<th>
<label for="j_password" class="required">
<fmt:message key="label.password"/>*:
</label>
</th>
<td>
<input type="password" name="j_password" id="j_password"
size="20" />
</td>
</tr>
<tr>
<td></td>
<td>
<input type="checkbox" name="rememberMe" id="rememberMe" />
<label for="rememberMe"><fmt:message
key="login.rememberMe"/></a>
<!-- for Resin -->
<input type="hidden" name="j_uri" id="j_uri" value="" />
</td>
</tr>
<tr>
<td></td>
<td>
<input type="submit" name="login" id="login" value="Login" />
<input type="reset" name="reset" id="reset" value="Reset"
onclick="document.getElementById('j_username').focus()" />
</td>
</tr>
<tr>
<td></td>
<td><br /><fmt:message key="login.signup"/></td>
</tr>
</table>
</form>
</div>
HTH,
Matt
-----Original Message-----
From: Caroline Jen [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 07, 2003 2:11 PM
To: Struts Users Mailing List
Subject: Re: Container-Managed Authentication <login-config> in web.xml
vs . Specifying Paths in the struts-config.xml
People answer questions without reading my original
post. Therefore, I must re-type my original question
again.
Before I posted my question, I had configured the
Tomcat JDBCRealm following the instructions at
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
so that I can do security testing programmically, such
as isUserInRole(), in my program.
If I use form based authentication, I insert the
<login-config> and its sub-elements in my web.xml file
(see below). As we know, the <form-login-page> and
<form-error-page> are required.
My question is that the container-managed
authentication (we provide login page and error page
in the web.xml) does not seem to be consistent with
what we usually do in struts; e.g. we state the
logical name and path for each .jsp page in the
struts-config.xml file.
What is the Struts convention in dealing with user
authentication? Should we specify the paths for the
logon page and error page in the struts.config.xml or
we should use the <form-login-page> and
<form-error-page> in the web.xml file?
Thanks.
--- "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote:
> Caroline Jen wrote:
>
> >But, I do not want to use BASIC authentication. I
> >have many different roles and hundreds of people
> per
> >role. Users' name, role, etc. are stored in a
> >database.
> >
> How authentication is performed (BASIC, form-based,
> DIGEST, or SSL
> client certificates) and how users are stored
> (database, directory
> server, local XML file, ...) are two separate
> questions. For most
> servers , any combination is possible. With Tomcat,
> for example, you
> can configure JDBCRealm to point at your user and
> role definitions in a
> database, and then use those users with any of the
> authentication
> methods. For more information, see:
>
>
>
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
>
> The choice between BASIC and form-based
> authentication, then, can be
> based on user interface related concerns, rather
> than worrying about a
> database.
>
> Craig
>
> >--- Matt Raible <[EMAIL PROTECTED]> wrote:
> >
> >
> >>A JDBCRealm can use BASIC authentication - it
> >>doesn't require form-based.
> >>Here's an example app that might help you out:
> >>
> >>
> >>
> >>
>
>http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample
> >
> >
> >>HTH,
> >>
> >>Matt
> >>
> >>-----Original Message-----
> >>From: Caroline Jen [mailto:[EMAIL PROTECTED]
> >>Sent: Monday, October 06, 2003 4:45 PM
> >>To: [EMAIL PROTECTED]
> >>Subject: Container-Managed Authentication
> >><login-config> in web.xml vs.
> >>Specifying Paths in the struts-config.xml
> >>
> >>
> >>I use the Tomcat. I configured the Tomcat
> JDBCRealm
> >>so that I can use programmic security testing,
> such
> >>as
> >>isUserInRole(), in my program.
> >>
> >>Because Tomcat JDBCRealm is form based, I inserted
> >>the
> >><login-config> and its sub-elements in my web.xml
> >>file
> >>(see below). As we know, the <form-login-page>
> and
> >><form-error-page> are required.
> >>
> >>My question is that the container-managed
> >>authentication does not seem to be consistent with
> >>what we usually do in struts; e.g. we state the
> >>logical name and path for each .jsp page in the
> >>struts-config.xml file.
> >>
> >>What is the Struts convention in dealing with user
> >>authentication? Should we specify the paths for
> the
> >>logon page and error page in the struts.config.xml
> >>or
> >>we should use the <form-login-page> and
> >><form-error-page> in the web.xml file?
> >>
> >>
> >>
> >>
>
>======================================================
> >
> >
> >><security-constraint>
> >> <web-resource-collection>
> >>
> >><web-resource-name>SalesInfo</web-resource-name>
> >> <url-pattern>/SalesInfo/*</url-pattern>
> >> <http-method>GET</http-method>
> >> <http-method>POST</http-method>
> >> </web-resource-collection>
> >> <auth-constraint>
> >> <role-name>manager</role-name>
> >> </auth-constraint>
> >> <user-data-constraint>
> >>
> >><transport-guarantee>NONE</transport-guarantee>
> >> </user-data-constraint>
> >></security-constraint>
> >>
> >><login-config>
> >> <auth-method>FORM</auth-method>
> >> <form-login-config>
> >>
> >>
> >>
> >>
>
><form-login-page>/authentication/login.html</form-login-page>
> >
> >
> >>
> >>
> >>
> >>
>
><form-error-page>/authentication/error.html</form-error-page>
> >
> >
> >></form-login-config>
> >>
> >></login-config>
> >>
> >><security-role>
> >> <role-name>manager</role-name>
> >></security-role>
> >>
> >>
> >>
> >>
> >>__________________________________
> >>Do you Yahoo!?
> >>The New Yahoo! Shopping - with improved product
> >>search
> >>http://shopping.yahoo.com
> >>
> >>
> >>
> >>
>
>---------------------------------------------------------------------
> >
> >
> >>To unsubscribe, e-mail:
> >>[EMAIL PROTECTED]
> >>For additional commands, e-mail:
> >>[EMAIL PROTECTED]
> >>
> >>
> >>
> >>
>
>---------------------------------------------------------------------
> >
> >
> >>To unsubscribe, e-mail:
> >>[EMAIL PROTECTED]
> >>For additional commands, e-mail:
> >>[EMAIL PROTECTED]
> >>
> >>
> >>
> >
> >
> >__________________________________
> >Do you Yahoo!?
> >The New Yahoo! Shopping - with improved product
> search
> >http://shopping.yahoo.com
> >
>
>---------------------------------------------------------------------
> >To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> >For additional commands, e-mail:
> [EMAIL PROTECTED]
> >
> >
>
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
>
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
