Thanks a lot, Andrew. I got the idea. --- Andrew Shirk <[EMAIL PROTECTED]> wrote: > Logical paths work fine for me in web.xml (using > tomcat 4.1.x): > > <login-config> > <auth-method>FORM</auth-method> > <form-login-config> > <form-login-page> > /do/login/edit > </form-login-page> > <form-error-page> > /do/login/fail > </form-error-page> > </form-login-config> > </login-config> > > Andrew > > At 03:11 PM 10/7/2003, you wrote: > >People answer questions without reading my original > >post. Therefore, I must re-type my original > question > >again. > > > >Before I posted my question, I had configured the > >Tomcat JDBCRealm following the instructions at > >http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html > >so that I can do security testing programmically, > such > >as isUserInRole(), in my program. > > > >If I use form based authentication, I insert the > ><login-config> and its sub-elements in my web.xml > file > >(see below). As we know, the <form-login-page> and > ><form-error-page> are required. > > > >My question is that the container-managed > >authentication (we provide login page and error > page > >in the web.xml) does not seem to be consistent with > >what we usually do in struts; e.g. we state the > >logical name and path for each .jsp page in the > >struts-config.xml file. > > > >What is the Struts convention in dealing with user > >authentication? Should we specify the paths for > the > >logon page and error page in the struts.config.xml > or > >we should use the <form-login-page> and > ><form-error-page> in the web.xml file? > > > >Thanks. > >--- "Craig R. McClanahan" <[EMAIL PROTECTED]> > wrote: > > > Caroline Jen wrote: > > > > > > >But, I do not want to use BASIC authentication. > I > > > >have many different roles and hundreds of > people > > > per > > > >role. Users' name, role, etc. are stored in a > > > >database. > > > > > > > How authentication is performed (BASIC, > form-based, > > > DIGEST, or SSL > > > client certificates) and how users are stored > > > (database, directory > > > server, local XML file, ...) are two separate > > > questions. For most > > > servers , any combination is possible. With > Tomcat, > > > for example, you > > > can configure JDBCRealm to point at your user > and > > > role definitions in a > > > database, and then use those users with any of > the > > > authentication > > > methods. For more information, see: > > > > > > > > > > >http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html > > > > > > The choice between BASIC and form-based > > > authentication, then, can be > > > based on user interface related concerns, rather > > > than worrying about a > > > database. > > > > > > Craig > > > > > > >--- Matt Raible <[EMAIL PROTECTED]> > wrote: > > > > > > > > > > > >>A JDBCRealm can use BASIC authentication - it > > > >>doesn't require form-based. > > > >>Here's an example app that might help you out: > > > >> > > > >> > > > >> > > > >> > > > > > > >http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample > > > > > > > > > > > >>HTH, > > > >> > > > >>Matt > > > >> > > > >>-----Original Message----- > > > >>From: Caroline Jen > [mailto:[EMAIL PROTECTED] > > > >>Sent: Monday, October 06, 2003 4:45 PM > > > >>To: [EMAIL PROTECTED] > > > >>Subject: Container-Managed Authentication > > > >><login-config> in web.xml vs. > > > >>Specifying Paths in the struts-config.xml > > > >> > > > >> > > > >>I use the Tomcat. I configured the Tomcat > > > JDBCRealm > > > >>so that I can use programmic security testing, > > > such > > > >>as > > > >>isUserInRole(), in my program. > > > >> > > > >>Because Tomcat JDBCRealm is form based, I > inserted > > > >>the > > > >><login-config> and its sub-elements in my > web.xml > > > >>file > > > >>(see below). As we know, the > <form-login-page> > > > and > > > >><form-error-page> are required. > > > >> > > > >>My question is that the container-managed > > > >>authentication does not seem to be consistent > with > > > >>what we usually do in struts; e.g. we state > the > > > >>logical name and path for each .jsp page in > the > > > >>struts-config.xml file. > > > >> > > > >>What is the Struts convention in dealing with > user > > > >>authentication? Should we specify the paths > for > > > the > > > >>logon page and error page in the > struts.config.xml > > > >>or > > > >>we should use the <form-login-page> and > > > >><form-error-page> in the web.xml file? > > > >> > > > >> > > > >> > > > >> > > > > > > >====================================================== > > > > > > > > > > > >><security-constraint> > > > >> <web-resource-collection> > > > >> > > > > >><web-resource-name>SalesInfo</web-resource-name> > > > >> <url-pattern>/SalesInfo/*</url-pattern> > > > >> <http-method>GET</http-method> > > > >> <http-method>POST</http-method> > > > >> </web-resource-collection> > > > >> <auth-constraint> > > > >> <role-name>manager</role-name> > > > >> </auth-constraint> > > > >> <user-data-constraint> > > > >> > > > > >><transport-guarantee>NONE</transport-guarantee> > > > >> </user-data-constraint> > > > >></security-constraint> > > > >> > > > >><login-config> > > > >> <auth-method>FORM</auth-method> > > > >> <form-login-config> > > > >> > > > >> > > > >> > > > >> > > > > > > ><form-login-page>/authentication/login.html</form-login-page> > > > > > === message truncated ===
__________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]