Hi Can someone give me a few pointers on using SecurityFilter with Struts? This can save me potentially hrs of debugging.
My securityfilter-config.xml is: <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE securityfilter-config PUBLIC "-//SecurityFilter.org//DTD Security Filter Configuration 1.1//EN" "http://www.securityfilter.org/dtd/securityfilter-config_1_1.dtd"> <securityfilter-config> <security-constraint> <web-resource-collection> <web-resource-name>Admin Page</web-resource-name> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>User Page</web-resource-name> <url-pattern>/user/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/WEB-INF/pages/Login.jsp</form-login-page> <form-error-page>/WEB-INF/pages/error.jsp</form-error-page> <form-default-page>/index.jsp</form-default-page> </form-login-config> </login-config> <realm className="app.IbatisSecurityRealm"> <realm-param name="exampleProperty" value="it works!" /> </realm> </securityfilter-config> Now my struts-config.xml has something like <action path="/LogAction" type="app.LogAction" name="logonForm" scope="request" input="/WEB-INF/pages/Logon.jsp" parameter="action" validate="false"> <forward name="success" path="/WEB-INF/pages/Welcome.jsp"/> </action> And the path of every action in struts-config.xml will be prefixed with either /admin/ or /user/ except for those actions that forwards to Home page, login and free info JSP page. Now Login.jsp has a submit button that will invoke LogAction, which will put a User bean in Session once user is validated. ** Now according to document on SecurityFilter, SecurityFilter supports "unsolicited" login requests => when I press submit button on Login.jsp, is authentication by SecurityFilter class called first or authentication by LogAction called first ??? ** Can I use Struts html tags in Logon.jsp to work with SecurityFilter? E.g. <html:form action="/LogAction" focus="j_username"> ** If authentication by SecurityFilter is processed first, then I don't really need to authenticate user in LogAction class but simply put User bean in Session, right ??? Since SecurityFilter will do the authentication for me and direct page to error.jsp if validation failed. ** If validation fails, can I still queue error message (ActionError) in LogAction so that error.jsp will display it? Thanks --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]