On Sun, Mar 23, 2003 at 05:10:43AM -0800, Mike Duffy wrote: > Does anyone know of a Struts work around for the problem with Tomact > in bookmarking the login page for container managed security?
I believe, based on past conversations here, that Struts has its own security filter solution to use, instead of standard J2EE security. > There was a brief thread on this issue about a month ago > [http://www.mail-archive.com/[EMAIL PROTECTED]/msg59734.html] > > There is a SourceForge project called SecurityFilter that can be used > to replace Tomcat's container managed security, but it would be nice > to be able to work with Tomcat. I built my current project with standard J2EE security realms, and currently plan to tell my users "don't do that." I do have a vague hope, that I will one day get around to exploring, of setting up a servlet filter that intervenes *before* the security realm gets invoked, and filters out direct requests to the login page, forwarding them to the main system page. However, I haven't even had a chance to look into this, yet. > Has anyone tried to call "j_security_check" directly from an Action > class? Once you can authenticate a user you would be able to get the > roles for that user. > > Is there a way to set up a JDBC Realm purely in Struts? I did not see > any information on this in a quick scan of the documentation. > > Hopefully, the good people working on Tomcat see this as a bug that > needs to be fixed. As far as I've been able to determine, looking at the archives, the answer is "broken as designed", i.e. the spec is broken but tomcat is implementing the spec (which, since tomcat is the reference implementation, I can't really fault them for). The upshot is they won't change it until the spec changes (and hopefully specifies a more reasonable solution). > Quote from a recent thread in the Tomcat news group: "I wish that > there was a legitimate configuration change to enable you to bookmark > a login.jsp page--such as a j_success_url parameter which instructs > Tomcat where to send users if not doing an automated login process." > > Another user stated, "...I simply just can't believe that there are > Tomcat instances out there in a live production environment with > configured realms that suffer from this problem. Surely there must be > something...." > http://www.mail-archive.com/[EMAIL PROTECTED]/msg77974.html If you can figure out a way to have a filter intercept requests for the login page, that'd do the trick. The alternative would be to patch and build your own variation of tomcat, with code to deal with this specific situation. So you'd have a bit of extra work upgrading to new versions of tomcat... Hm... I wonder... if you put the login page *outside* the security realm, would that allow you to have the login page itself redirect to a more appropriate page, if directly invoked? I'll have to crack open the j_security_check class (can't remember, offhand at the moment, what's it's called) and see if there's some parameter it sets when it intercepts a request and forwards it to the login page. If it does set a parameter, checking for that would be a good test to see if the user directly invoked the login page. Steven J. Owens [EMAIL PROTECTED] "I'm going to make broad, sweeping generalizations and strong, declarative statements, because otherwise I'll be here all night and this document will be four times longer and much less fun to read. Take it all with a grain of salt." - Me at http://darksleep.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]