aspose file tools*
The moose likes Struts and the fly likes Struts JSP J2EE Security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Struts JSP J2EE Security" Watch "Struts JSP J2EE Security" New topic
Author

Struts JSP J2EE Security

Srinivasa Kakumanu
Greenhorn

Joined: Oct 31, 2004
Posts: 3
In our project we are using Struts 1.1. So far we didn't had any security implemented. Trying to implement J2EE security using Form Based authentication and Custom User Regitry for authorization. I have been able to configure the CUR in WAS 5.1 server configuration. I see that when I try to login I see the CUR is authenticating it. Here is the issue I am having .....

When I try to go to http://localhost:9080/web, I see my home page displayed which is welcome screen that is shown after a user is logged in. All our jsps are not under WEB-INF.

- I have defined in web.xml in welcome-file list as /general/home .... this is the home page tile.
- <login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>welcome.jsp</form-login-page>
<form-error-page>/general/errorpage.jsp</form-error-page>
</form-login-config>
</login-config>
welcome.jsp has simple statement that redirects to welcome.do that forwards to index page tile i.e my login page.

But what I don't understand is why the home page is displayed without being first redirected to my index tile? All the roles are defined in web.xml and groups are defined in ejb.xml. Can someone shed some light here? and direct me to some website that shows step by step how to implement J2EE security with Struts and tiles.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61205
    
  66

Moving to the Web App Frameworks forum.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
huy nguyen
Greenhorn

Joined: Mar 13, 2004
Posts: 3
Hi Srinivasa,

You can protect all your JSP resources by doing in the following way:
- In your Application Deployment Descriptor (application.xml), define one role used for access to your JSPs (eg: JSP_ACCESS) without assigning it to any group or user.
- Then in your Web Deployment Descriptor, add a security constraint to the JSP_ACCESS role by putting these lines:
<security-constraint>
<web-resource-collection>
<web-resource-name>JSP Resource</web-resource-name>
<description></description>
<url-pattern>/jsp/*</url-pattern>
<http-method>
GET</http-method>
<http-method>
PUT</http-method>
<http-method>
POST</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>JSP_ACCESS</role-name>
</auth-constraint>
</security-constraint>

In which /jsp/* means you want to protect all the file in jsp folder (under Web Content)
If you locate your more JSP resource in other folder, you can add more
<url-pattern>/pages/*</url-pattern>

That's all to protect your JSPs directly access.

Good luck !
Huy

Originally posted by Srinivasa Kakumanu:
In our project we are using Struts 1.1. So far we didn't had any security implemented. Trying to implement J2EE security using Form Based authentication and Custom User Regitry for authorization. I have been able to configure the CUR in WAS 5.1 server configuration. I see that when I try to login I see the CUR is authenticating it. Here is the issue I am having .....

When I try to go to http://localhost:9080/web, I see my home page displayed which is welcome screen that is shown after a user is logged in. All our jsps are not under WEB-INF.

- I have defined in web.xml in welcome-file list as /general/home .... this is the home page tile.
- <login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>welcome.jsp</form-login-page>
<form-error-page>/general/errorpage.jsp</form-error-page>
</form-login-config>
</login-config>
welcome.jsp has simple statement that redirects to welcome.do that forwards to index page tile i.e my login page.

But what I don't understand is why the home page is displayed without being first redirected to my index tile? All the roles are defined in web.xml and groups are defined in ejb.xml. Can someone shed some light here? and direct me to some website that shows step by step how to implement J2EE security with Struts and tiles.


[ November 03, 2004: Message edited by: huy nguyen ]
[ November 03, 2004: Message edited by: huy nguyen ]
Srinivasa Kakumanu
Greenhorn

Joined: Oct 31, 2004
Posts: 3
Huy,

Thanks for the reponse. I tried exactly like you said. But didn't work for me. It was taking me to the home page without authentication when I did it. So I tried like this .... still not luck.
<url-pattern>/authenticate/*</url-pattern>

<url-pattern>/dailystatistics/*</url-pattern>

<url-pattern>/deviceconfiguration/*</url-pattern>

<url-pattern>/employee/*</url-pattern>

<url-pattern>/general/*</url-pattern>

<url-pattern>/layout/*</url-pattern>

<url-pattern>/managementstructure/*.jsp</url-pattern>

<url-pattern>/menu/*.jsp</url-pattern>

<url-pattern>/messaging/*</url-pattern>

<url-pattern>/packagestandards/*</url-pattern>

<url-pattern>/personalize/*</url-pattern>

<url-pattern>/timecard/*</url-pattern>

<url-pattern>/user/*</url-pattern>

<url-pattern>/*.jsp</url-pattern>

<url-pattern>/*.do</url-pattern>



Any more help is really appreciated.



Thanks,

Srinivasa
Srinivasa Kakumanu
Greenhorn

Joined: Oct 31, 2004
Posts: 3
Huy,

You have been very helpful. One of the major component issue is resolved. I have resolved the problem with your suggestion.

Here was the mistake I was doing when I declared the security constraints .... I was putting the URL pattern as /*.do and /*.jsp. This doesn't work well. Infact I had to define all the actions as /welcome.do /login.do etc. and define jsps as /auhenticate/* etc. This really worked. I am very thankful to your. Appreciate your help very much.

Thanks,
Srinivasa
Nicholas Cheung
Ranch Hand

Joined: Nov 07, 2003
Posts: 4982

I was putting the URL pattern as /*.do and /*.jsp. This doesn't work well

You should put down *.do and *.jsp, without "/".

Nick


SCJP 1.2, OCP 9i DBA, SCWCD 1.3, SCJP 1.4 (SAI), SCJD 1.4, SCWCD 1.4 (Beta), ICED (IBM 287, IBM 484, IBM 486), SCMAD 1.0 (Beta), SCBCD 1.3, ICSD (IBM 288), ICDBA (IBM 700, IBM 701), SCDJWS, ICSD (IBM 348), OCP 10g DBA (Beta), SCJP 5.0 (Beta), SCJA 1.0 (Beta), MCP(70-270), SCBCD 5.0 (Beta), SCJP 6.0, SCEA for JEE5 (in progress)
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Struts JSP J2EE Security