Hello!
We are trying to implement a login/security environment using Tomcat 5.5's
JAASRealm and Struts as a MVC-Framework.
After Login ,which fails with error "HTTP Status 403 - Access to the
requested ressource has been denied", we can navigate manually to our
output.jsp and use
...
<%= request.getUserPrincipal %> ,
...
<%= request.isUserInRole("administrator") %>
...
<logic:present role="administrator">
Admin present!
</logic:present>
These return correct username, (true) for isUserInRole, and the logic tag
also works...
BUT
Our problem is: We protected *.do in our web.xml to be only accessible by
users in role "administrator", which fails as described above.
Why does the login fail, but we still get a valid Subject with Principals,
and can access the roles on the output.jsp?
We are stuck now for over a week, reading tutorials, asking google, but
with no success... Any Ideas would be appreciated!
Our relevant sourcecode:
----------------- Tomcats server.xml
--------------------------------------------------
<Server port="8005" shutdown="SHUTDOWN">
...
<Service name="Catalina">
...
<Engine name="Catalina" defaultHost="localhost">
...
<Realm className="org.apache.catalina.realm.JAASRealm"
appName="SimpleLogin"
userClassNames="my.strutsLogin.UserPrincipal"
roleClassNames="my.strutsLogin.GroupPrincipal"
useContextClassLoader="false"
/>
<Host ...> </Host>
</Engine>
</Service>
</Server>
---------------------------- web.xml of our Project
------------------------------------
...
<servlet-name>logonAction</servlet-name>
...
<servlet-mapping>
<servlet-name>logonAction</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>logonAction</web-resource-name>
<url-pattern>*.do</url-pattern>
</web-resource-collection >
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JAASRealm</realm-name>
</login-config>
<security-role>
<role-name>administrator</role-name>
</security-role>
</web-app>
Greetings
Carsten Schiller.
+++++++++++++++++++++++++++++++++++++++++++
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten
haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht
gestattet.
----------------------------------------------------
This e-mail may contain confidential and/or privileged information. If you are
not the intended recipient (or have received this e-mail in error) please
notify the sender immediately and destroy this e-mail.
Any unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
