A shot in the dark here: Are the request params in SecurityFilter still around if you forward to a Struts action.
Say like this? (I do this, but I don't try to access the params). <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/do/LoginRequired</form-login-page> <form-error-page>/do/LoginError</form-error-page> <form-default-page>/do/SuccessfulLogin</form-default-page> </form-login-config> </login-config> If so, it should be pretty simple... > -----Original Message----- > From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Siggelkow > Sent: Monday, February 07, 2005 10:02 PM > To: user@struts.apache.org > Subject: Re: Application Security > > Tim, > > The first problem of populating a form bean with user data > can be handled by populating/creating a UserBean using > techniques such as a servlet filter. Alternatively, you can > extend the RequestProcessor. > Other techniques that work, but are not as global in nature, > are using a base action. The last technique which provides > the least coverage is to use a <jsp:useBean> tag which > creates/retrieves a UserBean and populates > user data on the setter method for the user name. > > As far as logging of failed attempts, using container-managed > security, this will vary by container. Have you tried > applying a filter to j_security_check? I don't know if this > is allowed by the servlet spec, but it would seem to be one > way you could check for successful login. > > AFAIK, SecurityFilter should allow you to "roll your own" > security while still permitting similar ease of configuration > for authentication and authorization as container-managed security. > > -Bill Siggelkow > > Tim Christopher wrote: > > Hi, > > > > I've recently discovered that it is not possible to map an > action to > > j_security_check. Given this situation how is it possible > to populate > > a form bean with user data, or create a log of any failed login > > attempts (bad username / password) if the container takes > control of > > the entire login process? > > > > Looking back at previous posts to the newsgroup I can see > that in the > > past people have just used plain html to produce the > j_security_check > > form. Is it possible to do this using the <sslext:form> > tag, but so > > that it does not require a Struts action mapping for > j_security_check > > to be present? > > > > I was currently intending on using JDBCRealm and the > security-filter > > to control the site's security, though given the above problems I'm > > starting to think there might be a better way? Or are > these problems > > everyone has already solved, as surely some form of login system is > > present in the vast majority of Struts applications. > > > > Cheers for any help / suggestions. > > > > Tim Christopher > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]