Hi all, I just read the SecurityFilter README file and I saw something about mapping all request to the security filter, but wait a minute, how far with mapping my request to the struts ActionServlet?..... I will appreciate any help in clearifying the issue above.
David Liles <[EMAIL PROTECTED]> wrote: Max, I've looked at the link you provided and noticed there is a limitation to the 2.3 servlet container..... what options are available to the platform only supports a 2.2 version? Thanks -----Original Message----- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Tue 11/11/2003 7:13 AM To: Struts Users Mailing List Cc: Subject: Re: Servlet filter and Struts That approach breaks the "page-level addressibility" advantage that building web apps generally affords, however. The breakage is that the user won't be sent back to the page they requested after they login. Container-managed security offers robust and time-tested security for your Actions/pages, and also redirects users back to the page they wanted after they login. Everyone that is considering rolling their own security system would do well to investigate the J2EE standard first. The Servlet spec has all the details, but it might be better to find a tutorial-style introduction. It really isn't very complicated. In most cases, it provides all the functionality you need and want, and is generally both more secure and easier to implement than a custom solution. Using the standard system also allows you to make use of security features in the Struts framework and other libraries, too. There are a few things that I found lacking in container-managed security, so I wrote a filter-based clone of it with a few enhancements. You can find it here: http://www.securityfilter.org/. The main enhancement is that a "default page" can be specified as the place to send users to if they "spontaneously" login. This allows users to bookmark the login page, and/or allows app developers to put a login form on every page in the site. It also moves the realm configuration details into the web app, rather than requiring realm configuration at the server level. There are more exciting features, such as persistent logins, coming in a future release. -Max ----- Original Message ----- From: "David Liles" To: "Struts Users Mailing List" Sent: Tuesday, November 11, 2003 4:14 AM Subject: RE: Servlet filter and Struts If you're looking for a simple solution.... I've used the following snippet of code: document.location=('/Logon.do'); I place it in a JSP and then use a jsp include tag in each of the jsp pages I want secure. This prevents users from bookmarking a page in the site and by-passing the logon the next time.... -----Original Message----- From: Steffen Gransow [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 11, 2003 4:10 AM To: 'Struts Users Mailing List' Subject: RE: Servlet filter and Struts But that would be somewhat of an overkill, if all I need is securing some pages/actions, wouldn't it? I now have a simple servlet filter that redirects to login page if a simple object isn't to be found in session. User passwords (that is, hashes) will later be retrieved from a database. Is this approach wrong or not secure enough? The application I'm developing only has users, that do all have the same rights. So I don't need roles at all I think. A little OT question: What about securing the connection from clients to server? How is Struts ssl-ext involved in this? I don't know what it can do. Is it not enough to let clients access the webapp using https? Is it an added layer of security? I admit to be new to developing larger web applications (especially struts) and therefore I do not know too much about role-based or whatever security mechanisms. So please be gentle with my questions. :)= Regards, Steffen -----Original Message----- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Vic Cekvenich Sent: Monday, November 10, 2003 2:06 PM To: [EMAIL PROTECTED] Subject: Re: Servlet filter and Struts Importance: High This is the standard way to do what you want... in web-xml only, using J2EE for container (such as tomcat JDBC realms) for security, a best practice. Once you know this part of JAAS, then you can extend, to put more things about the user in session, and track that in you actions. Secure /do/admin/* /do/what/* /do/not/* VALID ENHANCED GUEST EXPIRED ADMIN NONE FORM /login.jsp /loginBad.jsp GUEST VALID ENHANCED EXPIRED ADMIN Steffen Gransow wrote: > Sorry, wrong mailing list I guess. :\ > > But what I would like to know is: If I do forward to a specific page > in a servlet filter, what would the code look like? > > RequestDispatcher rd = > context.getRequestDispatcher("/kvnet/login.jsp"); > rd.forward(request, response); > > Or should I use "/kvent/Login.do"? Or am I totally wrong? > > Thanks in advance. > > Steffen > > > -----Original Message----- > From: Steffen Gransow [mailto:[EMAIL PROTECTED] > Sent: Monday, November 10, 2003 11:54 AM > To: [EMAIL PROTECTED] > Subject: Servlet filter and Struts > > Hi, > > I want to implement a servlet filter to redirect users to login when > there is no valid session. Now I have a simple Struts application with > a welcome and a login page. As soon as I add the filter my > 'application' stops working. How do I implement a servlet filter in a > correct way to achieve what I want? > > My web.xml looks like this: > > > loginFilter > > de.quasa.kvnet.util.LoginFilter > > loginPage > /jsp/login.jsp > > > > loginFilter > /* > > > The init-param isn't used at the moment. Is the pattern correct? I > would access my app with a url like this: http://localhost/kvnet > > Are there good resources for me to read? > > Thanks in advance. > > Steffen -- Victor Cekvenich, Struts Instructor (215) 321-9146 Advanced Struts Training Server Side Java training with Rich UI, mentoring, designs, samples and project recovery in North East. Simple best practice basic Portal, a Struts CMS, Membership, Forums, Shopping and Credit processing, software, ready to develop/customize; requires a db to run. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------- Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard