To answer your questions: 1. The LOGON button links to a forward: <html:link forward="logon">LOGON</html:link> and in my struts-config.xml, I have
<forward name="logon" path="/do/admin/Menu"/> 2. the <security-constraint> in my web-xml is: <security-constraint> <web-resource-collection> <web-resource-name>Administrative</web-resource-name> <!-- The URLs to protect --> <url-pattern>/do/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <!-- The authorized users --> <role-name>administrator</role-name> <role-name>contributor</role-name> </auth-constraint> </security-constraint> By the way, there is another problem -- after the insertion of the <security-constraint>, the application totally stops functioning. No welcome page displayed. In the browser, I have HTTP Status 404 -/PracticeVersion description: The requested resource(/PracticeVersion) is not availabe. and in the Tomcat log file, I have: LifecycleException: Container StandardContext[/PracticeVersion] has not been started Thereafter, I deleted the <security-constraint> element from the web.xml file. I have the welcome page displayed. After I click on the LOGON button in the welcome page, the welcome page remains in the browser. The logon.jsp, which collects j-username, j_password, does not get displayed and http://localhost:8080/PracticeVersion/do/admin/Menu shows in the address bar. --Caroline --- "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote: > Caroline Jen wrote: > > >Thank you very much for the detailed explanation. > >Yet, I still have hard time to make my application > >work -- I am "able" to display the welcome page (no > >problem). And I have > >http://localhost:8080/PracticeVersion/do/Menu;jsessionid=0A6E76A8F3E849BC8DAAC45BFB72F72E > >in the address bar. > > > >However, after I click on the LOGON button in the > >welcome page, the welcome page > > > Where does this LOGON button submit to? If it > submits to > "j_security_check", you are doing this wrong. It > should submit to some > resource that is protected by a security constraint. > > > remains in the browser. > > The logon.jsp, which collects j-username, > j_passwor, > >does not get displayed and > >http://localhost:8080/PracticeVersion/do/admin/Menu > >shows in the address bar. > > > >I do not know what went wrong. Could it be that > the > >JDBCRealm is not configured correctly? > > > >Because the LOGON button links to a forward: > ><html:link forward="logon">LOGON</html:link> > > > >and in my struts-config.xml, I have > > > > <forward > > name="logon" > > path="/do/admin/Menu"/> > > > >The /do/admin/Menu is my protected resources. I > keep > >it unchanged. > > > > > It's only protected if it's listed in a > <security-constraint> in web.xml. > > >1. I configured the Tomcat JDBCRealm and prepared > the > >users table, user-roles table according the > >instructions found at > >http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html > > > > > Which Realm you use does not make any difference. > > >2. Because I want to use FORM based container > managed > >authentication, I inserted > > > ><login-config> > > <auth-method>FORM</auth-method> > > <form-login-config> > > > ><form-login-page>/signin/logon.jsp</form-login-page> > > > > ><form-error-page>/signin/logon.jsp?error=true</form-error-page> > > </form-login-config> > ></login-config> > > > >in the web.xml file. > > > > > What does your <security-constraint> in web.xml look > like? This is the > critical ingredient. > > >3. I put logon.jsp in the ApplicationRoot/signin > >folder. Here is the code of the logon.jsp (I took > out > >all the Struts tags) and I know the code works well > >because I have tested it: > > > ><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 > >Transitional//EN"> > ><HTML> > ><HEAD> > ><TITLE>Container Managed Authentication</TITLE> > ></HEAD> > ><BODY> > ><H1>Sign in, Please</H1> > ><HR> > ><FORM action="j_security_check" method="post" > >focus="j_username"> > ><TABLE border="0" width="50%" cellspacing=3 > >cellpadding=2> > ><TR> > ><TH align="right">User Name:</TH> > ><TD align="left"><INPUT TYPE=text NAME="j_username" > >SIZE="25"/></TD> > ></TR> > ><TR> > ><TH align="right">Password:</TH> > ><TD align="left"><INPUT TYPE=password > >NAME="j_password" SIZE="10"/></TD> > ></TR> > ><TR> > ><TD align="right"><INPUT TYPE=submit > >VALUE="Submit"></TD> > ><TD align="left"><INPUT TYPE=reset > VALUE="Reset"></TD> > ></TR> > ></TABLE> > ></FORM> > ></BODY> > > > >--Caroline > > > Craig > > >--- "Craig R. McClanahan" <[EMAIL PROTECTED]> > wrote: > > > > > >>Caroline Jen wrote: > >> > >> > >> > >>>Thank you for your reply. I am using container > >>>managed authentication. > >>> > >>>My problem is "how to go from j_security_check > back > >>> > >>> > >>to > >> > >> > >>>my Struts framework." > >>> > >>> > >>> > >>> > >>That turns out to not be your problem ... that is > >>the container's problem. > >> > >>The key thing to remember is that the user should > >>never access your > >>login page (whatever it's URL is) directly. > >>Instead, form-based login > >>is triggered the first time that an > unauthenticated > >>user requests a URL > >>that is protected by a security constraint. What > >>happens next goes like > >>this: > >> > >>(1) Unauthenticated user requests a protected > >>resource (*NOT* the login > >>page!) > >> > >>(2) Container remembers the protected resource > that > >>was requested > >> in a private variable. > >> > >>(3) Container displays the login page, which must > >>have a destination > >> of "j_security_check", and waits for the user > >>submit. For some > >>containers, > >> including Tomcat, this is the one-and-only > time > >>that submitting to > >> "j_security_check" will not return a 404. > >> > >>(4) User enters username and password, and presses > >>the submit button. > >> > >>(5) Container authenticates the username and > >>password combination. > >> If valid, container recalls the resource > saved > >>in (2) and displays > >>*that* > >> to the user in response to the login submit. > >> > >>If this doesn't make sense, temporarily switch > your > >>app to use BASIC > >>authentication instead, and walk through the > >>process. The user > >>experience will be identical except that the > "login > >>page" will be a > >>popup dialog box instead of your configured login > >>page. (Technically, > >>it's different in one other respect -- it's the > >>*browser* that does the > >>remembering in step (2) and the restoring in step > >>(5), but the user > === message truncated === __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]