Thank you very much for the detailed explanation. Yet, I still have hard time to make my application work -- I am "able" to display the welcome page (no problem). And I have http://localhost:8080/PracticeVersion/do/Menu;jsessionid=0A6E76A8F3E849BC8DAAC45BFB72F72E in the address bar.
However, after I click on the LOGON button in the welcome page, the welcome page remains in the browser. The logon.jsp, which collects j-username, j_passwor, does not get displayed and http://localhost:8080/PracticeVersion/do/admin/Menu shows in the address bar. I do not know what went wrong. Could it be that the JDBCRealm is not configured correctly? Because the LOGON button links to a forward: <html:link forward="logon">LOGON</html:link> and in my struts-config.xml, I have <forward name="logon" path="/do/admin/Menu"/> The /do/admin/Menu is my protected resources. I keep it unchanged. 1. I configured the Tomcat JDBCRealm and prepared the users table, user-roles table according the instructions found at http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html 2. Because I want to use FORM based container managed authentication, I inserted <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/signin/logon.jsp</form-login-page> <form-error-page>/signin/logon.jsp?error=true</form-error-page> </form-login-config> </login-config> in the web.xml file. 3. I put logon.jsp in the ApplicationRoot/signin folder. Here is the code of the logon.jsp (I took out all the Struts tags) and I know the code works well because I have tested it: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <TITLE>Container Managed Authentication</TITLE> </HEAD> <BODY> <H1>Sign in, Please</H1> <HR> <FORM action="j_security_check" method="post" focus="j_username"> <TABLE border="0" width="50%" cellspacing=3 cellpadding=2> <TR> <TH align="right">User Name:</TH> <TD align="left"><INPUT TYPE=text NAME="j_username" SIZE="25"/></TD> </TR> <TR> <TH align="right">Password:</TH> <TD align="left"><INPUT TYPE=password NAME="j_password" SIZE="10"/></TD> </TR> <TR> <TD align="right"><INPUT TYPE=submit VALUE="Submit"></TD> <TD align="left"><INPUT TYPE=reset VALUE="Reset"></TD> </TR> </TABLE> </FORM> </BODY> --Caroline --- "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote: > Caroline Jen wrote: > > >Thank you for your reply. I am using container > >managed authentication. > > > >My problem is "how to go from j_security_check back > to > >my Struts framework." > > > > > > That turns out to not be your problem ... that is > the container's problem. > > The key thing to remember is that the user should > never access your > login page (whatever it's URL is) directly. > Instead, form-based login > is triggered the first time that an unauthenticated > user requests a URL > that is protected by a security constraint. What > happens next goes like > this: > > (1) Unauthenticated user requests a protected > resource (*NOT* the login > page!) > > (2) Container remembers the protected resource that > was requested > in a private variable. > > (3) Container displays the login page, which must > have a destination > of "j_security_check", and waits for the user > submit. For some > containers, > including Tomcat, this is the one-and-only time > that submitting to > "j_security_check" will not return a 404. > > (4) User enters username and password, and presses > the submit button. > > (5) Container authenticates the username and > password combination. > If valid, container recalls the resource saved > in (2) and displays > *that* > to the user in response to the login submit. > > If this doesn't make sense, temporarily switch your > app to use BASIC > authentication instead, and walk through the > process. The user > experience will be identical except that the "login > page" will be a > popup dialog box instead of your configured login > page. (Technically, > it's different in one other respect -- it's the > *browser* that does the > remembering in step (2) and the restoring in step > (5), but the user > doesn't know that). > > The important point is that, at no time, did anyone > ever submit a > request to the URL of the login page, because there > is no such thing > when using BASIC authentication. You should pretend > there is no such > thing when using form based login, also; think of > the login page as part > of the container, not part of your app. > > In answer to your original question, the simplest > thing to do on a login > page is just use the standard HTML form element > instead of the Struts > <html:form> tag. Then, you can just say: > > <form method="POST" action="j_security_check"> > ... > </form> > > Craig > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]