To answer your questions:
1. The LOGON button links to a forward:
<html:link forward="logon">LOGON</html:link>
and in my struts-config.xml, I have
<forward
name="logon"
path="/do/admin/Menu"/>
2. the <security-constraint> in my web-xml is:
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrative</web-resource-name>
<!-- The URLs to protect -->
<url-pattern>/do/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- The authorized users -->
<role-name>administrator</role-name>
<role-name>contributor</role-name>
</auth-constraint>
</security-constraint>
By the way, there is another problem -- after the
insertion of the <security-constraint>, the
application totally stops functioning. No welcome
page displayed. In the browser, I have
HTTP Status 404 -/PracticeVersion
description: The requested resource(/PracticeVersion)
is not availabe.
and in the Tomcat log file, I have:
LifecycleException: Container
StandardContext[/PracticeVersion] has not been started
Thereafter, I deleted the <security-constraint>
element from the web.xml file. I have the welcome
page displayed. After I click on the LOGON button in
the welcome page, the welcome page remains in the
browser. The logon.jsp, which collects j-username,
j_password, does not get displayed and
http://localhost:8080/PracticeVersion/do/admin/Menu
shows in the address bar.
--Caroline
--- "Craig R. McClanahan" <[EMAIL PROTECTED]> wrote:
> Caroline Jen wrote:
>
> >Thank you very much for the detailed explanation.
> >Yet, I still have hard time to make my application
> >work -- I am "able" to display the welcome page (no
> >problem). And I have
>
>http://localhost:8080/PracticeVersion/do/Menu;jsessionid=0A6E76A8F3E849BC8DAAC45BFB72F72E
> >in the address bar.
> >
> >However, after I click on the LOGON button in the
> >welcome page, the welcome page
> >
> Where does this LOGON button submit to? If it
> submits to
> "j_security_check", you are doing this wrong. It
> should submit to some
> resource that is protected by a security constraint.
>
> > remains in the browser.
> > The logon.jsp, which collects j-username,
> j_passwor,
> >does not get displayed and
> >http://localhost:8080/PracticeVersion/do/admin/Menu
> >shows in the address bar.
> >
> >I do not know what went wrong. Could it be that
> the
> >JDBCRealm is not configured correctly?
> >
> >Because the LOGON button links to a forward:
> ><html:link forward="logon">LOGON</html:link>
> >
> >and in my struts-config.xml, I have
> >
> > <forward
> > name="logon"
> > path="/do/admin/Menu"/>
> >
> >The /do/admin/Menu is my protected resources. I
> keep
> >it unchanged.
> >
> >
> It's only protected if it's listed in a
> <security-constraint> in web.xml.
>
> >1. I configured the Tomcat JDBCRealm and prepared
> the
> >users table, user-roles table according the
> >instructions found at
>
>http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
> >
> >
> Which Realm you use does not make any difference.
>
> >2. Because I want to use FORM based container
> managed
> >authentication, I inserted
> >
> ><login-config>
> > <auth-method>FORM</auth-method>
> > <form-login-config>
> >
>
><form-login-page>/signin/logon.jsp</form-login-page>
>
> >
>
><form-error-page>/signin/logon.jsp?error=true</form-error-page>
> > </form-login-config>
> ></login-config>
> >
> >in the web.xml file.
> >
> >
> What does your <security-constraint> in web.xml look
> like? This is the
> critical ingredient.
>
> >3. I put logon.jsp in the ApplicationRoot/signin
> >folder. Here is the code of the logon.jsp (I took
> out
> >all the Struts tags) and I know the code works well
> >because I have tested it:
> >
> ><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
> >Transitional//EN">
> ><HTML>
> ><HEAD>
> ><TITLE>Container Managed Authentication</TITLE>
> ></HEAD>
> ><BODY>
> ><H1>Sign in, Please</H1>
> ><HR>
> ><FORM action="j_security_check" method="post"
> >focus="j_username">
> ><TABLE border="0" width="50%" cellspacing=3
> >cellpadding=2>
> ><TR>
> ><TH align="right">User Name:</TH>
> ><TD align="left"><INPUT TYPE=text NAME="j_username"
> >SIZE="25"/></TD>
> ></TR>
> ><TR>
> ><TH align="right">Password:</TH>
> ><TD align="left"><INPUT TYPE=password
> >NAME="j_password" SIZE="10"/></TD>
> ></TR>
> ><TR>
> ><TD align="right"><INPUT TYPE=submit
> >VALUE="Submit"></TD>
> ><TD align="left"><INPUT TYPE=reset
> VALUE="Reset"></TD>
> ></TR>
> ></TABLE>
> ></FORM>
> ></BODY>
> >
> >--Caroline
> >
> Craig
>
> >--- "Craig R. McClanahan" <[EMAIL PROTECTED]>
> wrote:
> >
> >
> >>Caroline Jen wrote:
> >>
> >>
> >>
> >>>Thank you for your reply. I am using container
> >>>managed authentication.
> >>>
> >>>My problem is "how to go from j_security_check
> back
> >>>
> >>>
> >>to
> >>
> >>
> >>>my Struts framework."
> >>>
> >>>
> >>>
> >>>
> >>That turns out to not be your problem ... that is
> >>the container's problem.
> >>
> >>The key thing to remember is that the user should
> >>never access your
> >>login page (whatever it's URL is) directly.
> >>Instead, form-based login
> >>is triggered the first time that an
> unauthenticated
> >>user requests a URL
> >>that is protected by a security constraint. What
> >>happens next goes like
> >>this:
> >>
> >>(1) Unauthenticated user requests a protected
> >>resource (*NOT* the login
> >>page!)
> >>
> >>(2) Container remembers the protected resource
> that
> >>was requested
> >> in a private variable.
> >>
> >>(3) Container displays the login page, which must
> >>have a destination
> >> of "j_security_check", and waits for the user
> >>submit. For some
> >>containers,
> >> including Tomcat, this is the one-and-only
> time
> >>that submitting to
> >> "j_security_check" will not return a 404.
> >>
> >>(4) User enters username and password, and presses
> >>the submit button.
> >>
> >>(5) Container authenticates the username and
> >>password combination.
> >> If valid, container recalls the resource
> saved
> >>in (2) and displays
> >>*that*
> >> to the user in response to the login submit.
> >>
> >>If this doesn't make sense, temporarily switch
> your
> >>app to use BASIC
> >>authentication instead, and walk through the
> >>process. The user
> >>experience will be identical except that the
> "login
> >>page" will be a
> >>popup dialog box instead of your configured login
> >>page. (Technically,
> >>it's different in one other respect -- it's the
> >>*browser* that does the
> >>remembering in step (2) and the restoring in step
> >>(5), but the user
>
=== message truncated ===
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
