File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Struts and the fly likes Struts login using JAAS and login-config Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Struts login using JAAS and login-config" Watch "Struts login using JAAS and login-config" New topic
Author

Struts login using JAAS and login-config

Abe Froman
Greenhorn

Joined: Oct 15, 2004
Posts: 1
I believe I am having a chicken and egg problem using a Struts Action as
the form-login-page defined in my web.xml.

I followed a number of tutorials to get to this point but here is the
basic flow and the relevant parts of my config.

web.xml

This puts the security constraint on all .do urls
<security-constraint>
<web-resource-collection>
<web-resource-name>action</web-resource-name>
<description>Secure the action servlet</description>
<url-pattern>*.do</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>

<auth-constraint>
<role-name>AuthorizedUser</role-name>
</auth-constraint>
<user-data-constraint>
<description>no description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

This forces users to the Login.do action. Which works fine
I can point to any .do url and get redirected to Login.do.

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/Login.do</form-login-page>
<form-error-page>/Logout.do</form-error-page>
</form-login-config>
</login-config>


The problem is when I need to submit Login.do to LoginSubmit.do this
results in a redirection back to Login.do. Not what I want. So I
attempted to put all the logic in the LoginAction class associated with
Login action.

struts-config.xml
<!-- Login Form -->
<form-bean name="loginForm"
type="web.main.forms.util.LoginForm"/>

<!-- Login Form / Page -->

<forward name="login" path="/Login.do" />
<forward name="loginSubmit" path="/LoginSubmit.do" />

<!-- Login Actions -->
<action
path="/Login"
name="loginForm"
scope="request"
validate="false"
type="web.main.actions.util.LoginAction"
parameter=".mainLayout">
<forward name="continue"
path=".login"/>
</action>

<action
path="/LoginSubmit"
name="loginForm"
type="web.main.actions.util.LoginSubmitAction"
parameter=".mainLayout">
<forward name="continue"
path=".login"/>
</action>

This is busted for a number of reasons, the worst of which I have to
validate everything in the Action because I can't tell the difference
between the 1st land and a submit of a blank form. Should I be doing
this another way? I was thinking of using a servlet filter to check the
users session and redirect, I will have to do this anyway.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Struts login using JAAS and login-config
 
Similar Threads
Basic Authentication using web.xml
Security Constraint problem
Struts and JDBC/realm
Form based login
How to Secure a Struts application using Form Based Authentication