SecurityFilter Question?

struts Dude Sat, 28 Aug 2004 22:37:00 -0700

Hi

Can someone give me a few pointers on using SecurityFilter
with Struts? This can save me potentially hrs of debugging.


My securityfilter-config.xml is:

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE securityfilter-config PUBLIC
    "-//SecurityFilter.org//DTD Security Filter Configuration 1.1//EN"
    "http://www.securityfilter.org/dtd/securityfilter-config_1_1.dtd";>

<securityfilter-config>

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>Admin Page</web-resource-name>
         <url-pattern>/admin/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>admin</role-name>
      </auth-constraint>
   </security-constraint>

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>User Page</web-resource-name>
         <url-pattern>/user/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>user</role-name>
      </auth-constraint>
   </security-constraint>

   <login-config>
      <auth-method>FORM</auth-method>
      <form-login-config>
         <form-login-page>/WEB-INF/pages/Login.jsp</form-login-page>
         <form-error-page>/WEB-INF/pages/error.jsp</form-error-page>
         <form-default-page>/index.jsp</form-default-page>
      </form-login-config>
   </login-config>

   <realm className="app.IbatisSecurityRealm">
      <realm-param name="exampleProperty" value="it works!" />
   </realm>

</securityfilter-config>

Now my struts-config.xml has something like

 <action path="/LogAction" 
     type="app.LogAction" 
     name="logonForm" 
     scope="request" 
     input="/WEB-INF/pages/Logon.jsp" 
     parameter="action"
     validate="false">
     <forward
      name="success"
      path="/WEB-INF/pages/Welcome.jsp"/>
     </action>


And the path of every action in struts-config.xml will be 
prefixed with either /admin/ or /user/ except for
those actions that forwards to Home page, login and
free info JSP page.

Now Login.jsp has a submit button that will invoke LogAction,
which will put a User bean in Session once user is validated.

** Now according to document on SecurityFilter, SecurityFilter 
supports "unsolicited" login requests => when I press submit 
button on Login.jsp, is authentication by SecurityFilter 
class called first or authentication by LogAction called
first ???

** Can I use Struts html tags in Logon.jsp to work with
SecurityFilter? E.g.
<html:form action="/LogAction"  focus="j_username">

** If authentication by SecurityFilter is processed first,
then I don't really need to authenticate user in LogAction
class but simply put User bean in Session, right ??? 

Since SecurityFilter will do the authentication for me
and direct page to error.jsp  if validation failed.

** If validation fails, can I still queue error message 
(ActionError) in LogAction so that error.jsp will
display it?



Thanks

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

SecurityFilter Question?

Reply via email to