Even if we used Struts tags, it would still render HTML so I don't see how using tags would increase security.
On Apr 8, 2010, at 12:25 PM, tibor strausz wrote: > ok thanks! > > do you know the reason why in the login.jsp with j_security there is no > use of struts tags? > > i think i read something that its not a good idea? will it break security? > > tibi > > > > Matt Raible wrote: >> I believe there are different errors that Spring Security sends for >> different events. The one that's commented out below merely grabs the >> last one set. >> >> On Thu, Apr 8, 2010 at 2:29 AM, <t...@dds.nl <mailto:t...@dds.nl>> wrote: >> >> ok it seems to work. >> don't forget to add: >> <property name="passwordEncoder" >> ref="passwordEncoder" /> >> to myAuthenticationProvider bean in the blow config file. >> >> >> one other question in the login jsp i want to show the error message. >> >> now this is used: >> <c:if test="${param.error != null}"> >> <li class="error"> >> <img src="${ctx}/images/iconWarning.gif" alt="<fmt:message >> key='icon.warning'/>" class="icon"/> >> <fmt:message key="errors.password.mismatch"/> >> <%--${sessionScope.SPRING_SECURITY_LAST_EXCEPTION.message}--%> >> </li> >> </c:if> >> >> how can i diffirentiate between different errors? >> (wrong credentials or no more attempts) >> >> >> tibi >> >> >> >> >> >> ok it works. >> >> what i did: >> >> in the applicationContext-struts.xml i added (changed) this: >> >> <beans xmlns="http://www.springframework.org/schema/beans"; >> >> xmlns:security="http://www.springframework.org/schema/security"; >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> >> xsi:schemaLocation="http://www.springframework.org/schema/beans >> >> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd >> http://www.springframework.org/schema/security >> >> >> http://www.springframework.org/schema/security/spring-security-2.0.xsd"; >> default-lazy-init="true"> >> >> <bean id="adminInterceptor" >> >> >> class="nl.rapidsugar.emailOpMaat.webapp.interceptor.UserRoleAuthorizationInterceptor"> >> <property name="authorizedRoles" >> value="ROLE_ADMIN" /> >> </bean> >> <bean id="authenticationManager" >> class="org.springframework.security.providers.ProviderManager"> >> <property name="providers"> >> <list> >> <ref >> local="myAuthenticationProvider" /> >> </list> >> </property> >> </bean> >> >> <bean id="myAuthenticationProvider" >> >> >> class="nl.rapidsugar.emailOpMaat.webapp.interceptor.MyAuthenticationProvider"> >> <security:custom-authentication-provider /> >> <property name="userDetailsService" >> ref="userDao" /> >> </bean> >> .... >> >> basicaly i'm adding a bean into the providers list. >> >> than a java class: >> >> package nl.rapidsugar.emailOpMaat.webapp.interceptor; >> >> import org.springframework.security.AuthenticationException; >> import >> >> org.springframework.security.providers.UsernamePasswordAuthenticationToken; >> import >> org.springframework.security.providers.dao.DaoAuthenticationProvider; >> import org.springframework.security.userdetails.UserDetails; >> >> public class MyAuthenticationProvider extends >> DaoAuthenticationProvider { >> >> @Override >> protected void >> additionalAuthenticationChecks(UserDetails userDetails, >> UsernamePasswordAuthenticationToken >> authentication) >> throws AuthenticationException { >> // TODO Auto-generated method stub >> >> super.additionalAuthenticationChecks(userDetails, >> authentication); >> } >> } >> >> >> in debug mode i'm hitting this method... so now lets see what >> i can do here :D >> >> have fun! >> >> >> i will look into this tomorrow: >> >> http://forum.springsource.org/showthread.php?t=52377 >> >> >> >> Quoting t...@dds.nl <mailto:t...@dds.nl>: >> >> :( >> >> >> i will... >> >> >> >> >> Quoting Matt Raible <m...@raibledesigns.com >> <mailto:m...@raibledesigns.com>>: >> >> Unfortunately, I don't know the answer to this. >> You might search Spring >> Security's forums. >> >> On Tue, Apr 6, 2010 at 12:25 PM, <t...@dds.nl >> <mailto:t...@dds.nl>> wrote: >> >> some investigation led me to the >> postAuthenticationChecks >> >> seems to do the trick. but how can i inject my >> own class there? >> >> is it autowired? >> >> thanks for any pointers, >> >> tibi >> >> >> >> >> hi list >> >> hi matt, >> >> i need to count the wrong logins (after 3 >> wrong logins block account). >> how can i get in the loop of j_security_check? >> >> >> thanks, >> >> tibi >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: >> users-unsubscr...@appfuse.dev.java.net >> <mailto:users-unsubscr...@appfuse.dev.java.net> >> For additional commands, e-mail: >> users-h...@appfuse.dev.java.net >> <mailto:users-h...@appfuse.dev.java.net> >> >> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: >> users-unsubscr...@appfuse.dev.java.net >> <mailto:users-unsubscr...@appfuse.dev.java.net> >> For additional commands, e-mail: >> users-h...@appfuse.dev.java.net >> <mailto:users-h...@appfuse.dev.java.net> >> >> >> >> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: >> users-unsubscr...@appfuse.dev.java.net >> <mailto:users-unsubscr...@appfuse.dev.java.net> >> For additional commands, e-mail: >> users-h...@appfuse.dev.java.net >> <mailto:users-h...@appfuse.dev.java.net> >> >> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: >> users-unsubscr...@appfuse.dev.java.net >> <mailto:users-unsubscr...@appfuse.dev.java.net> >> For additional commands, e-mail: >> users-h...@appfuse.dev.java.net >> <mailto:users-h...@appfuse.dev.java.net> >> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@appfuse.dev.java.net >> <mailto:users-unsubscr...@appfuse.dev.java.net> >> For additional commands, e-mail: >> users-h...@appfuse.dev.java.net >> <mailto:users-h...@appfuse.dev.java.net> >> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@appfuse.dev.java.net >> <mailto:users-unsubscr...@appfuse.dev.java.net> >> For additional commands, e-mail: users-h...@appfuse.dev.java.net >> <mailto:users-h...@appfuse.dev.java.net> >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@appfuse.dev.java.net > For additional commands, e-mail: users-h...@appfuse.dev.java.net > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@appfuse.dev.java.net For additional commands, e-mail: users-h...@appfuse.dev.java.net
