Sorry to hear that you are so mad, it is indeed frustrating to try to
work with APIs that are poorly documented, but, I think you're still
missing one thing I've been saying . . .
Leandro Melo wrote:
Hi Erik,
the point is that i actually changing my approach.
I gave up for a moment the action="j_security_check"
(i'm using j_username and j_password just to make it
similar just because they names were already there
when i tried something with j_security_check) thing
and pointed the action of my login.jsp to
action="/logon.do".
Then, in this action, i just create login using
defaults's JBoss structure (i'm using
DatabaseServlerLogin, UsernamePasswordCallbackHanlder,
wich are JBoss' stuff).
BUT, i'm really, really, really mad with this thing.
Never been so disapointed about one thing as i'm to
this.
If you note my logon action you'll see that it does
just all tutorials and references to JAAS say to do.
String j_username =
(String)request.getParameter("j_username");
String x = (String)request.getParameter("j_password");
if (x != null){
j_password = x.toCharArray();
handler = new UsernamePasswordHandler(j_username,
j_password);
}
LoginContext lc = null;
try {
lc = new LoginContext("example2", handler);
lc.login();
Subject subject = lc.getSubject();
Set principals = subject.getPrincipals();
Principal user = new SimplePrincipal(j_username);
principals.add(user);
} catch (LoginException e) {
e.printStackTrace();
throw new Exception();
}
return mapping.findForward("index");
As i said, this WORKS, it actually logs the user
correctly.
I think it may have logged you in correctly *with JBoss*. The
LoginContext you are using here is specific to JBoss, if I am not mistaken.
BUT when i get to index.jsp, i'm not logged
anymore, the action seems to be logging the user doing
the stuff i ask and as soon as the action leaves the
scope, i back not logged again. This makes me mad!!!!
Struts runs in the Tomcat container, within the JBoss JVM. When you
logged in with the JBoss login module, Tomcat knew nothing about it. To
login with Tomcat, you have to send the form action to
"j_security_check". That is the way I understand it.
Erik
Then, i thought i could be HttpSession issues, and i
inserted the following line in the beggining of the
Action, BUT, take a look on what happens.
//the first lines of the action
if (request.getSession(false) == null){
System.out.println("session not created");
}
/*Hahahaha, the weird thing is that my
getSession(false) NEVER returns null!!! Even this
beeing the first Action of my app. As sugestion of
other people i inserted the following line in
struts-config.xml -> <controller locale="false"/>
Because struts creates a session object if
locale="true", which is default option.
So, to FORCE my login over here, i'll just go with
invalidating my session. */
request.getSession().invalidate();
//allright, now i don't have session anymore
//Write here i inserted all the login stuff code i
mentioned earlier (which works fine, as i said) and
then create a new session.
HttpSession session = request.getSession();
Do you see?? According to most references i read, this
was supposed to work, BUT my "security" session has a
scope of only one action, as soon as i leave i'm
forwared i need to go back an log again. This is
sad...
Regards,
Leandro
--- Erik Weber <[EMAIL PROTECTED]> escreveu:
Sorry, I may have mislead you here:
Erik Weber wrote:
Leandro, perhaps I didn't explain very well. As
far as I know, there
is no way for you to intercept the login request
and process the
j_username and j_password parameters yourself --
you have to let the
container receive the form submittal and process
the login. This is
why I said, your login form can't be a Struts form
-- your login page
is basically not going to be a part of Struts.
You'll have to think of
your login screen as one face of a container
"module" or "extension"
that can serve as the front door of *any* web apps
running in that
container. It doesn't belong to the web app, but
you can make it look
like it belongs to it, since the only requirement
is to have an HTTP
form that delivers those two parameters to the
container.
However, once the container has processed the
login (the container
invokes login modules that you have configured
with directions on how
to map users to roles in your realm -- as you did
with JBoss in your
login-module XML configuration), it will propagate
all the users and
roles, etc., to the container and make them
available to components
running in that container -- suddenly those
methods like
HttpServletRequest.getUserPrincipal and
HttpServletRequest.isUserInRole actually return
something you can use.
Now you are querying "standard" methods that all
good containers
should support. That is the idea anyway. Remember
that this depends on
an underlying security configuration that is going
to be
container-specific.
I can tell you that I have not been able to use
this approach when
deploying web apps in the JBoss-3.2.x-Tomcat-5.0.x
stack.
By "this approach" I meant making the login page be
a part of Struts.
But using a login page that is a simple form with an
action set to
"j_security_check", and the parameters set to
"j_username" and
"j_password" does work just fine. I was trying to
make my login screen a
part of Struts (with an associated form-bean, etc.,
as I think you are
trying to do) and that's what I'm saying doesn't
work, not
container-managed security itself, in JBoss/Tomcat.
I tried something similar to what you are trying
(I wrote a
CallbackHandler, etc., -- see the JBoss free doc
on JAAS by Scott
Stark, or maybe you already have). The problem is
that you are logging
in with a JBoss login module, and there is no
integration between that
module and Tomcat, if I am not mistaken.
I haven't tried container-managed security with
Tomcat stand alone,
but I am led to believe it is straightforward.
I don't know why I even wrote this sentence, it is
completely irrelevant
to what we were talking about (a container-managed
login that is also
part of your Struts app). I got sidetracked in my
thinking. I am certain
that container-managed security works just fine in
its own right in
either container.
A possible solution, if you have to stick with
JBoss, could be for you
to write code that logs in with not only the JBoss
login modules, but
the Tomcat ones. I don't know spefically how to do
this or if it can
be done, but I suspect that it can, and I seen
suggestions here and
there on how to do it. However, I question whether
it is worth the
trouble. The idea here is to let the container do
all this for you.
Still, if you get something along these lines
working, please share
it, because I suspect it would be useful until
such a time as JBoss
and Tomcat integrate better when it comes to
security. But be careful
of wasting your time.
Erik
Leandro Melo wrote:
I'm back!
After getting some jaas studies, i'm a little bit
better, so i can now formulate a better question.
Here it is... (I know that this is not only a
Struts
question, because it envolves jaas, but i'm
pretty
sure that people over here could give me some
advise
on how to handle the problem).
I got my application protected with JAAS, so
users
cannot access any pages or servles withou a
login. I
build then an Action to handle login stuff.
Heres the code of my LoginAction (execute
method).
//...
String j_username =
(String)request.getParameter("j_username");
String x =
(String)request.getParameter("j_password");
if (x != null){
j_password = x.toCharArray();
handler = new
UsernamePasswordHandler(j_username,
j_password);
}
LoginContext lc = null;
try {
lc = new LoginContext("example2",
handler);
lc.login();
//this part doesn't matter very much
Subject subject = lc.getSubject();
Set principals = subject.getPrincipals();
Principal user = new
SimplePrincipal(j_username);
principals.add(user);
} catch (LoginException e) {
// TODO Auto-generated catch block
e.printStackTrace();
throw new Exception();
}
return mapping.findForward("index");
The above code runs perfectly! It logs the user
correctly and then i'm forwared to my index page.
[b]But[/b], when i get to index, everything is
gone!!!
I'm not logged anymore. If i try to access
another
page in my application, i'm redirect to the
login.jsp
page again!!!
I heard that this is because the multi-thread
characteristic of the servlets, but
How can i workaround this??? how can i make this
maintain my login through the rest of my
session???
Here's a piece of login-config.xml
<application-policy name = "client-login">
<authentication>
<login-module code =
=== message truncated ===
_______________________________________________________
Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
http://br.acesso.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]