Hi Kelly,
In struts.xml, the namespace given to your package needs be in
/protected as well.
eg. <package name="myPackage" namespace="/protected">
Otherwise, as you've seen, it's available in the root of the
application's context path.
I usually split my struts2 application into at least two packages:
<package name="public" namespace="/"> ...
<package name="secure" namespace="/protected">
Which then allows you to apply your container-managed security where
necessary.
I would add a login action to the public namespace which prepares a
login page. Unfortunately I don't think the container will allow you to
specify "/login.action" as the login page though, but you can make
login.jsp redirect to it.
Hope that helps,
regards,
Jeromy Evans
Kelly Graus wrote:
Hi Everyone,
I'm attempting to secure my first Struts 2 web app using container
security with a DataSourceRealm. I'm using Tomcat 6 as my container.
Here is how my project is setup:
LicensingAdministration/
META-INF/
context.xml
WEB-INF/
web.xml
classes/
struts.xml
protected/
*JSP pages*
login.jsp
error.jsp
Without using struts, this works perfectly. Any attempt to access
anything under the protected area results in a redirect to the login
page, and from there all of the database stuff works fine. However,
when I added in struts, I am now able to bypass the security by
specifying an action directly.
For example, navigating to
http://localhost:8080/LicensingAdministration/CreateProduct.action
will bypass the login page and go directly to the CreateProduct
action. However, navigating to
http://localhost:8080/LicensingAdministration/protected/CreateProduct.action
will perform a redirect to the login (as expected).
Any suggestions on how to secure the actions so that the login cannot
be bypassed would be greatly appreciated! Below are the relevant
parts of my web.xml and context.xml files (I can post the full files
if necessary, but they contain a lot of resource definitions that
aren't related to the problem).
Also, in an slightly unrelated question, is is possible to use struts
tags in the login page? I was trying to use an s:url tag to specify
the location of the css. When redirected to the login page, the
server threw an exception and I got an error message stating the the
Struts dispatcher cannot be found.
Thanks!
Kelly
[web.xml]
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
[snip]
<resource-env-ref>
<resource-env-ref-name>jdbc/UsersDS</resource-env-ref-name>
<resource-env-ref-type>javax.sql.DataSource</resource-env-ref-type>
</resource-env-ref>
<!-- Security Constraints -->
<security-constraint>
<display-name>name</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>licensing-admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Licensing Administration</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>licensing-admin</role-name>
</security-role>
<welcome-file-list>
<welcome-file>protected/administer.jsp</welcome-file>
</welcome-file-list>
[/web.xml]
[context.xml]
<Resource name="jdbc/UsersDS" auth="Container"
type="javax.sql.DataSource"
username="username"
password="password"
driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/users"/>
<!-- Security Realm -->
<Realm className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName="jdbc/UsersDS" localDataSource="true"
userTable="users" userNameCol="user_name"
userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name"/>
[/context.xml]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]