The moose likes Struts and the fly likes Authentication Problem Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "Authentication Problem" Watch "Authentication Problem" New topic

Authentication Problem

Pj Casaro
Ranch Hand

Joined: Jul 13, 2010
Posts: 47
Here's my setup. I have a home page, index.jsp with a login form.

My Login action has this for a result:

I have a file called home.jsp located in /secure. When I login successfully, I go here.

Then I added this to my struts.xml:

The point of this is so that if I have a jsp page with no action tied to it, lets say an image upload form or something, I can still trigger my interceptor to make sure I'm logged in. This works too. For example, if I try and navigate to /secure/home, my interceptor is triggered, even though I don't have a Home action.

For some reason, however, having this addition makes it so that when I login, instead of going to /secure/home like before, I get a requested resource is not available even though it is.
Pj Casaro
Ranch Hand

Joined: Jul 13, 2010
Posts: 47
I ran some tests and got some very interesting results.

I should note that I've set a couple of constants:

These were necessary to get what I want to work.

1) Create directory "/secure/test" and in "/secure/test" put "testpage.jsp":

When I log in, and attempt to visit "http://localhost:8080/MyPage/secure/test/testpage", I get an error message that "/MyPage/secure/test/test/testpage" is not available. It seems to have duplicated the namespace.

2) Create a package called "actions.secure.test" and put a random action class in it, and it works.

It seems like there's a flaw with what I'm trying to do. It seems redundant to need a class for every action but it seems like thats the only way to get it to behave
Pj Casaro
Ranch Hand

Joined: Jul 13, 2010
Posts: 47
For all interested parties, here's the fix.

Lets say you have some simple jsps that don't need classes but do need to be secured. This is what that part of your struts.xml should look like:

With the two constants from before, basically, when you enter the secure namespace, it will look for anything you type in that doesn't have a class associated with it, check if you're logged in, and then serve that jsp if you are logged in.
Consider Paul's rocket mass heater.
subject: Authentication Problem
Similar Threads
struts2 login interceptor not finding session attribute of user details.
Overriding default interceptor stack
Struts 2 addActionError problem
interceptor not working in struts 2
Scope interceptor: scope.type = end not doing any cleanup.