• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Struts JSP J2EE Security

 
Srinivasa Kakumanu
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In our project we are using Struts 1.1. So far we didn't had any security implemented. Trying to implement J2EE security using Form Based authentication and Custom User Regitry for authorization. I have been able to configure the CUR in WAS 5.1 server configuration. I see that when I try to login I see the CUR is authenticating it. Here is the issue I am having .....

When I try to go to http://localhost:9080/web, I see my home page displayed which is welcome screen that is shown after a user is logged in. All our jsps are not under WEB-INF.

- I have defined in web.xml in welcome-file list as /general/home .... this is the home page tile.
- <login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>welcome.jsp</form-login-page>
<form-error-page>/general/errorpage.jsp</form-error-page>
</form-login-config>
</login-config>
welcome.jsp has simple statement that redirects to welcome.do that forwards to index page tile i.e my login page.

But what I don't understand is why the home page is displayed without being first redirected to my index tile? All the roles are defined in web.xml and groups are defined in ejb.xml. Can someone shed some light here? and direct me to some website that shows step by step how to implement J2EE security with Struts and tiles.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64721
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Moving to the Web App Frameworks forum.
 
huy nguyen
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Srinivasa,

You can protect all your JSP resources by doing in the following way:
- In your Application Deployment Descriptor (application.xml), define one role used for access to your JSPs (eg: JSP_ACCESS) without assigning it to any group or user.
- Then in your Web Deployment Descriptor, add a security constraint to the JSP_ACCESS role by putting these lines:
<security-constraint>
<web-resource-collection>
<web-resource-name>JSP Resource</web-resource-name>
<description></description>
<url-pattern>/jsp/*</url-pattern>
<http-method>
GET</http-method>
<http-method>
PUT</http-method>
<http-method>
POST</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>JSP_ACCESS</role-name>
</auth-constraint>
</security-constraint>

In which /jsp/* means you want to protect all the file in jsp folder (under Web Content)
If you locate your more JSP resource in other folder, you can add more
<url-pattern>/pages/*</url-pattern>

That's all to protect your JSPs directly access.

Good luck !
Huy

Originally posted by Srinivasa Kakumanu:
In our project we are using Struts 1.1. So far we didn't had any security implemented. Trying to implement J2EE security using Form Based authentication and Custom User Regitry for authorization. I have been able to configure the CUR in WAS 5.1 server configuration. I see that when I try to login I see the CUR is authenticating it. Here is the issue I am having .....

When I try to go to http://localhost:9080/web, I see my home page displayed which is welcome screen that is shown after a user is logged in. All our jsps are not under WEB-INF.

- I have defined in web.xml in welcome-file list as /general/home .... this is the home page tile.
- <login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>welcome.jsp</form-login-page>
<form-error-page>/general/errorpage.jsp</form-error-page>
</form-login-config>
</login-config>
welcome.jsp has simple statement that redirects to welcome.do that forwards to index page tile i.e my login page.

But what I don't understand is why the home page is displayed without being first redirected to my index tile? All the roles are defined in web.xml and groups are defined in ejb.xml. Can someone shed some light here? and direct me to some website that shows step by step how to implement J2EE security with Struts and tiles.


[ November 03, 2004: Message edited by: huy nguyen ]
[ November 03, 2004: Message edited by: huy nguyen ]
 
Srinivasa Kakumanu
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Huy,

Thanks for the reponse. I tried exactly like you said. But didn't work for me. It was taking me to the home page without authentication when I did it. So I tried like this .... still not luck.
<url-pattern>/authenticate/*</url-pattern>

<url-pattern>/dailystatistics/*</url-pattern>

<url-pattern>/deviceconfiguration/*</url-pattern>

<url-pattern>/employee/*</url-pattern>

<url-pattern>/general/*</url-pattern>

<url-pattern>/layout/*</url-pattern>

<url-pattern>/managementstructure/*.jsp</url-pattern>

<url-pattern>/menu/*.jsp</url-pattern>

<url-pattern>/messaging/*</url-pattern>

<url-pattern>/packagestandards/*</url-pattern>

<url-pattern>/personalize/*</url-pattern>

<url-pattern>/timecard/*</url-pattern>

<url-pattern>/user/*</url-pattern>

<url-pattern>/*.jsp</url-pattern>

<url-pattern>/*.do</url-pattern>



Any more help is really appreciated.



Thanks,

Srinivasa
 
Srinivasa Kakumanu
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Huy,

You have been very helpful. One of the major component issue is resolved. I have resolved the problem with your suggestion.

Here was the mistake I was doing when I declared the security constraints .... I was putting the URL pattern as /*.do and /*.jsp. This doesn't work well. Infact I had to define all the actions as /welcome.do /login.do etc. and define jsps as /auhenticate/* etc. This really worked. I am very thankful to your. Appreciate your help very much.

Thanks,
Srinivasa
 
Nicholas Cheung
Ranch Hand
Posts: 4982
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I was putting the URL pattern as /*.do and /*.jsp. This doesn't work well

You should put down *.do and *.jsp, without "/".

Nick
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic