Ok, I found the solution.. Actually another in house app had run into the same problem.. Here is the solution for anyone else.. BTW: we eventually found this issue by searching "declarative security 404".
<!-- NOTE: Instead of specifying an action as the form-login-page, a jsp containing a client side redirect to the action is used. The login action cannot be directly used as the login page specified in the web.xml b/c both tomcat and jboss issue server transfers (instead of client side redirects) to redirect to the login page specified. Since Struts 2 uses filters, when the server transfer is made, the struts 2 filter is not passed, and thus the .action urls will not be found. For more info, see the following: https://issues.apache.org/struts/browse/WW-2025 (GCUEVAS 8/19/08) --> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login-redirect.jsp</form-login-page> <form-error-page>/login-redirect.jsp?auth=false</form-error-page> </form-login-config> </login-config> Here’s the meat of the referenced apache issue: Using an action URI for web.xml declarative security results in a 404 "The requested resource (/mywebapp/login.action) is not available message." on Tomcat (both 5.5.x & 6.x). Representative XML configs below: <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.action</form-login-page> <form-error-page>/loginFailure.action</form-error-page> </form-login-config> </login-config> <action name="login"> <result>/login.jsp</result> </action> Unfortunately it looks like the S2 architectural change from a Servlet to Servlet Filters is the culprit. After digging through the tomcat 5.5.23 (also present in the most recent 6.0.13 release) code I've come to the conclusion Struts2 actions CAN NOT be used for any of the common web.xml descriptor elements (form-login-page, form-error-page, welcome-file?, other?). Here's a snippet of the javadoc from org.apache.catalina.core.ApplicationDispatcher's invoke method: * <strong>IMPLEMENTATION NOTE</strong>: This implementation assumes that no filters are applied to a forwarded or included resource, because they were already done for the original request. Since this worked in S1, I've opened this ticket as a BUG. The workaround I received on the user list of doing an HTTP meta REFRESH works, but results in screen flashing (even with a refresh of 0 seconds) and a poor user experience. I'd GREATLY appreciate if one of the Struts developers had a more elegant workaround suggestion. For example would it be feasible to port FilterDispatcher to a servlet? Dan C. wrote: > > Hi, I have an application we migrated to struts 2. We originally had > oracle OAM for authentication but now we are going back to JAAS. We used > JAAS on struts 1 and it work fine. I've added everything I need to in the > web.xml but anytime I use a link that requires authentication I get a > blank page and nothing in the logs(debugging is set to DEBUG). So, I > decide to just create a small app that would redirect to a login page for > testing and I got the same result.. > > We are using oc4j and it worked with struts1 on oc4j. But, I also have a > jboss version of the app and I get the same result > > Any help would be greatly appreciated.. > > Dan > > One other thing. I know the j_security_check work because if I got > directly to my login action and login the app authenticates correctly.. > The only problem is the redirect managed by JAAS to the login action page. > > Here is the web.xml > > <security-constraint> > > <web-resource-collection> > <web-resource-name>Authentication Needed</web-resource-name> > <url-pattern>/homeAuth.do</url-pattern> > > </web-resource-collection> > > <auth-constraint> > <role-name>privileged_user</role-name> > </auth-constraint> > > </security-constraint> > > <login-config> > <auth-method>FORM</auth-method> > <form-login-config> > <form-login-page>/login.do</form-login-page> > <form-error-page>/loginRetry.do</form-error-page> > </form-login-config> > </login-config> > > > <security-role> > <role-name>privileged_user</role-name> > </security-role> > > my struts config: > <struts> > <package name="jaastest-default-config" namespace="/" > extends="struts-default,tiles-default"> > <!-- add the tile result type for this package --> > > > <default-interceptor-ref name="defaultStack"/> > > > <action name="homeAuth"> > <result name="success">/WEB-INF/homeAuth.jsp</result> > </action> > <action name="login"> > <result name="success">/WEB-INF/login.jsp</result> > > </action> > > <action name="home"> > <result name="success">/WEB-INF/home.jsp</result> > </action> > </package> > > </struts> > > > > > -- View this message in context: http://www.nabble.com/JAAS-not-working-tp23494554p23503036.html Sent from the Struts - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org