Re: Struts 2 Container Security problem

Tue, 19 Feb 2008 15:53:29 -0800 

Hi Kelly,
In struts.xml, the namespace given to your package needs be in /protected as well. 
eg. <package name="myPackage" namespace="/protected">
Otherwise, as you've seen, it's available in the root of the application's context path. 

I usually split my struts2 application into at least two packages:
<package name="public" namespace="/"> ...
<package name="secure" namespace="/protected">


Which then allows you to apply your container-managed security where 
necessary.



I would add a login action to the public namespace which prepares a 
login page.  Unfortunately I don't think the container will allow you to 
specify "/login.action" as the login page though, but you can make 
login.jsp redirect to it.


Hope that helps,
regards,
Jeromy Evans

Kelly Graus wrote:

Hi Everyone,


I'm attempting to secure my first Struts 2 web app using container 
security with a DataSourceRealm.  I'm using Tomcat 6 as my container. 
Here is how my project is setup:


LicensingAdministration/
   META-INF/
      context.xml
   WEB-INF/
      web.xml
      classes/
         struts.xml
   protected/
      *JSP pages*
   login.jsp
   error.jsp


Without using struts, this works perfectly.  Any attempt to access 
anything under the protected area results in a redirect to the login 
page, and from there all of the database stuff works fine.  However, 
when I added in struts, I am now able to bypass the security by 
specifying an action directly.



For example, navigating to 
http://localhost:8080/LicensingAdministration/CreateProduct.action 
will bypass the login page and go directly to the CreateProduct 
action.  However, navigating to 
http://localhost:8080/LicensingAdministration/protected/CreateProduct.action 
will perform a redirect to the login (as expected).



Any suggestions on how to secure the actions so that the login cannot 
be bypassed would be greatly appreciated!  Below are the relevant 
parts of my web.xml and context.xml files (I can post the full files 
if necessary, but they contain a lot of resource definitions that 
aren't related to the problem).



Also, in an slightly unrelated question, is is possible to use struts 
tags in the login page?  I was trying to use an s:url tag to specify 
the location of the css.  When redirected to the login page, the 
server threw an exception and I got an error message stating the the 
Struts dispatcher cannot be found.


Thanks!

Kelly

[web.xml]
<filter>
     <filter-name>struts2</filter-name>

     
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class> 


 </filter>

 <filter-mapping>
   <filter-name>struts2</filter-name>
   <url-pattern>/*</url-pattern>
 </filter-mapping>

[snip]

<resource-env-ref>
   <resource-env-ref-name>jdbc/UsersDS</resource-env-ref-name>
   <resource-env-ref-type>javax.sql.DataSource</resource-env-ref-type>
 </resource-env-ref>

 <!-- Security Constraints -->
 <security-constraint>
   <display-name>name</display-name>
   <web-resource-collection>
     <web-resource-name>Protected Area</web-resource-name>
     <url-pattern>/protected/*</url-pattern>
   </web-resource-collection>
   <auth-constraint>
     <role-name>licensing-admin</role-name>
   </auth-constraint>
 </security-constraint>
 <login-config>
   <auth-method>FORM</auth-method>
   <realm-name>Licensing Administration</realm-name>
   <form-login-config>
     <form-login-page>/login.jsp</form-login-page>
     <form-error-page>/error.jsp</form-error-page>
   </form-login-config>
 </login-config>
 <security-role>
   <role-name>licensing-admin</role-name>
 </security-role>

 <welcome-file-list>
     <welcome-file>protected/administer.jsp</welcome-file>
 </welcome-file-list>
[/web.xml]

[context.xml]
<Resource name="jdbc/UsersDS" auth="Container"
             type="javax.sql.DataSource"
             username="username"
             password="password"
             driverClassName="com.mysql.jdbc.Driver"
             url="jdbc:mysql://localhost:3306/users"/>
               <!-- Security Realm -->
     <Realm className="org.apache.catalina.realm.DataSourceRealm"
          dataSourceName="jdbc/UsersDS" localDataSource="true"

          userTable="users" userNameCol="user_name" 
userCredCol="user_pass"

          userRoleTable="user_roles" roleNameCol="role_name"/>
[/context.xml]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to