A shot in the dark here: Are the request params in SecurityFilter still
around if you forward to a Struts action.
Say like this? (I do this, but I don't try to access the params).
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/do/LoginRequired</form-login-page>
<form-error-page>/do/LoginError</form-error-page>
<form-default-page>/do/SuccessfulLogin</form-default-page>
</form-login-config>
</login-config>
If so, it should be pretty simple...
> -----Original Message-----
> From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Siggelkow
> Sent: Monday, February 07, 2005 10:02 PM
> To: user@struts.apache.org
> Subject: Re: Application Security
>
> Tim,
>
> The first problem of populating a form bean with user data
> can be handled by populating/creating a UserBean using
> techniques such as a servlet filter. Alternatively, you can
> extend the RequestProcessor.
> Other techniques that work, but are not as global in nature,
> are using a base action. The last technique which provides
> the least coverage is to use a <jsp:useBean> tag which
> creates/retrieves a UserBean and populates
> user data on the setter method for the user name.
>
> As far as logging of failed attempts, using container-managed
> security, this will vary by container. Have you tried
> applying a filter to j_security_check? I don't know if this
> is allowed by the servlet spec, but it would seem to be one
> way you could check for successful login.
>
> AFAIK, SecurityFilter should allow you to "roll your own"
> security while still permitting similar ease of configuration
> for authentication and authorization as container-managed security.
>
> -Bill Siggelkow
>
> Tim Christopher wrote:
> > Hi,
> >
> > I've recently discovered that it is not possible to map an
> action to
> > j_security_check. Given this situation how is it possible
> to populate
> > a form bean with user data, or create a log of any failed login
> > attempts (bad username / password) if the container takes
> control of
> > the entire login process?
> >
> > Looking back at previous posts to the newsgroup I can see
> that in the
> > past people have just used plain html to produce the
> j_security_check
> > form. Is it possible to do this using the <sslext:form>
> tag, but so
> > that it does not require a Struts action mapping for
> j_security_check
> > to be present?
> >
> > I was currently intending on using JDBCRealm and the
> security-filter
> > to control the site's security, though given the above problems I'm
> > starting to think there might be a better way? Or are
> these problems
> > everyone has already solved, as surely some form of login system is
> > present in the vast majority of Struts applications.
> >
> > Cheers for any help / suggestions.
> >
> > Tim Christopher
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
