This week's book giveaway is in the Cloud/Virtualizaton forum.
We're giving away four copies of Mesos in Action and have Roger Ignazio on-line!
See this thread for details.
Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Struts login using JAAS and login-config

 
Abe Froman
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I believe I am having a chicken and egg problem using a Struts Action as
the form-login-page defined in my web.xml.

I followed a number of tutorials to get to this point but here is the
basic flow and the relevant parts of my config.

web.xml

This puts the security constraint on all .do urls
<security-constraint>
<web-resource-collection>
<web-resource-name>action</web-resource-name>
<description>Secure the action servlet</description>
<url-pattern>*.do</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>AuthorizedUser</role-name>
</auth-constraint>
<user-data-constraint>
<description>no description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

This forces users to the Login.do action. Which works fine
I can point to any .do url and get redirected to Login.do.

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/Login.do</form-login-page>
<form-error-page>/Logout.do</form-error-page>
</form-login-config>
</login-config>


The problem is when I need to submit Login.do to LoginSubmit.do this
results in a redirection back to Login.do. Not what I want. So I
attempted to put all the logic in the LoginAction class associated with
Login action.

struts-config.xml
<!-- Login Form -->
<form-bean name="loginForm"
type="web.main.forms.util.LoginForm"/>

<!-- Login Form / Page -->

<forward name="login" path="/Login.do" />
<forward name="loginSubmit" path="/LoginSubmit.do" />

<!-- Login Actions -->
<action
path="/Login"
name="loginForm"
scope="request"
validate="false"
type="web.main.actions.util.LoginAction"
parameter=".mainLayout">
<forward name="continue"
path=".login"/>
</action>

<action
path="/LoginSubmit"
name="loginForm"
type="web.main.actions.util.LoginSubmitAction"
parameter=".mainLayout">
<forward name="continue"
path=".login"/>
</action>

This is busted for a number of reasons, the worst of which I have to
validate everything in the Action because I can't tell the difference
between the 1st land and a submit of a blank form. Should I be doing
this another way? I was thinking of using a servlet filter to check the
users session and redirect, I will have to do this anyway.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic