Piero Sartini wrote:
Am Donnerstag, 8. Februar 2007 schrieb Ian Roughley:
You probably don't need to send it to an action, you just need to render
the HTML form for authentication. So, login.jsp would suffice. As far
as s2 is concerned, authentication is completely external. The role
interceptor just uses the HttpServletRequest to obtain the roles that
the current user is logged in under.
If security is completely external, what is the Interceptor for?
Authentication is external - not security. The interceptor is there to
provide the users role (from authenticating) to the action, so the
action can use it to provide the security constraints that you want in
your application.
Defining a
SecurityConstraint in the web.xml file will prevent unauthorized access as
well, wouldnt it?
Yes.
(It seems to be the wrong way to me - I define the actions
in struts.xml, I do not see the point to include them in web.xml as well for
security)
It's all about options. I use the web.xml to secure directories, then
roles in the action / pages to provide finer level of control.
But the interceptor just responds a 403 if the user is not authoriuzed - is
there no possibility to present another action in this case (the login
form?).
Or do I misunderstand this whole thing completely?
----- code -----
<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>profile</web-resource-name>
<description>change user profile</description>
<url-pattern>/EditProfile_input.action</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>portalUser</role-name>
</auth-constraint>
</security-constraint>
---- code -----
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]