Natasha Krasnov

Greenhorn
+ Follow
since Oct 21, 2002
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
0
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Natasha Krasnov

Thank you so much for your reply!

I never saw this formally documented, but my experience has been that the list of roles for an authenticated user is constructed at login time and remains immutable throughout the session.



That's what it seemed like to me as well, at least based on looking through the Tomcat code...

This is an interesting problem. In an SSO environment, in theory, you could invalidate the session and the next time a secured request was made, the SSO realm would automatically pick up the authentication from the SSO realm without any need for userid/password (otherwise it's not truly SSO!).

The unfortunate side of that, is that since in J2EE, the only way to logoff is to invalidate the session, you also have to discard all your non-security-related session objects.

Which might in some ways be the right thing to do, since the previous session data was done using different security assumptions, so there's potential for scrambling contexts. But it's a pity there's no way at present to fine-tune such stuff.



Discarding all your non-security-related session objects should probably be ok for me; it does seem to be the right thing to do. I will try to invalidate the session and see if that works.

Thanks again for your help,

Natasha.





14 years ago
Hi,

I have several Tomcat webapps which use SSO and the same Realm for authentication. All is working as expected, except that I now need to update roles for the user that's already been authenticated in the past. I seem to be able to do it successfully for a given request (by calling LoginContect.login and switching the principals in the subject), but for all subsequent requests isUserInRole returns false for new roles. The way I understand it, this is happening because a GenericPrincipal object, which JAASRealm created in the initial authenticate call, holds a copy of the original role list, and so on all subsequent calls SSO valve puts that GenericPrincipal into request and its getRoles, which is called by isUserInRole, accordingly, always returns the original list of roles. Is there any way for me to get around this? I don't seem to have any ability to update the roles in this GenericPrincipal object once it's put into SSO cache... Or, if there is no way to update the roles, can I force re-authentication without making the user re-enter userid/password (we do have those stored in SSO cache, I believe)?

Any help would be greatly appreciated.

Thank you very much for your time,
Natasha
14 years ago
It seems like the answer is that Weblogic actually does not allow access to resources under WEB-INF even when using RequestDispatcher.
(see http://216.148.48.100/cgi-bin/dnewsweb?cmd=article&group=weblogic.developer.interest.jsp&item=10172&utag=)
I guess I will have to settle for moving jsps out of WEB-INF and adding a CONFIDENTIAL security constraint for *.jsp.
Thank you very much for your help.
Natasha.
21 years ago
<web-uri> defines the location of a web module, I believe it is a Weblogic-specific element, and that is what the resource path is relative to.
No space in my actual code , so I can not understand why it doesn’t work.
I was trying to find further information on the controller element, but it seems like I do not need to add it, because all the defaults are supposed to work as the previous versions of struts, according to struts 1.1 dtd. The server side article mentions setting pagePattern and forwardPattern attributes of the <controller> element to "/WEB-INF/$A$P" (meaning, when assembling the path, first add “/WEB-INF/”, then the application prefix, and then the path), but I understand that without subapplications it should be the same as having default ($A$P) and starting the path itself with “/WEB-INF”. I tried both, however, and neither one works…
Natasha
21 years ago
As I understand, Struts RequestProcessor does use RequestDispatcher’s forward in its process() method, and that is how the forward to the next page happens. So, according to what I know, this should work. I want to put my pages into WEB-INF to prevent users from accessing them directly and force everything to go through actions. I suppose this could be done through a security constraint on all jsps, but I have seen the recommendation to put jsps into WEB-INF enough times (see “Resources under WEB-INF” here for example http://www2.theserverside.com/resources/article.jsp?l=Struts1_1) to think that this should work and I am just missing some details.
Oh, I suppose I should mention that I am using Weblogic 7.0 in case it might have some relevance.
Thank you very much for your time.
Natasha
21 years ago
Adam, it all worked with * servlet mapping, thank you very much for your help.
Now I have a problem getting my jsps to show up if they are in WEB-INF.
Is there anything special I need to do for that? I have <web-uri>webapp</web-uri> in application.xml, then I put my pages into webapp/WEB_INF/jsp/… and reference them as follows:
<forward name="mypage" path="/WEB-INF/jsp/mypage.jsp"/>
However, when my action’s execute method tries to do
return mapping.findForward("mypage "), I get a 404 error.
Do I need to change anything in my struts-config.xml? I am using struts 1.1 and I only have one application (no subapplications), so I left all my struts settings as they were in 1.0.
Any thoughts would be greatly appreciated.
Natasha
[ October 24, 2002: Message edited by: Natasha Krasnov ]
21 years ago
Adam,
I was hoping to not have any non-struts servlets, and instead, say, have something like
servlet>
<servlet-name>action</servlet-name>
<servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
....blah blah
</servlet>

servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*</url-pattern>
</servlet-mapping>
in web.xml, so that I consistently use Struts throughout, and then declare a default action, which would catch all actions not explicitly defined in struts-config.xml, that would check with the database what to do with the request. But I am not sure if that would work with Struts… I’ll use your advice and make a separate servlet for now, thank you for your help.
21 years ago
It is not really a portal, more of a straightforward site, there is just one page template which the user should be able to get to by typing general url+ theme (http://www.mysite.com/sports), and that template would be populated based on that theme.
If I declare a default action, wouldn’t it have to be referenced by http://www.mysite.com/sports.do (or some other pattern instead od .do) in order to be picked up as an action? It is important that the url has no repeating pattern in it other than the domain name, is it possible to define an action as just * (or/*?) so that all requests are picked up as actions?
Also, I have heard that in Struts 1.1 all jsps have to be accessed through actions ( http://www2.theserverside.com/resources/article.jsp?l=Struts1_1). Does this mean that even the first index.jsp page has to be accessed through a dummy empty action?
Thank you so much for your help!
Natasha
[ October 22, 2002: Message edited by: Natasha Krasnov ]
21 years ago
Hello,
I am trying to figure out how to implement authentication/redirecton with Struts. What I need is to have a bunch of static action mappings and in addition catch all other requests, forward them to a default servlet, and then check if the URL follows one of the patterns that are registered in the database as the dynamic URLs, in which case it is a certain “generic” action with the path being a parameter, or forward to some default location otherwise. In all of the above cases I want to execute the same authentication logic. Another trick is that the dynamic URLs can not be formatted as *.do, they need to be of a simpler format like http://www.mysite.com/sports. Is there a way to do all this with Struts? I was trying to follow the paradigm described at https://coderanch.com/t/45776/Struts/Struts-Workflow-Extension, but being new to struts, I can not figure out how to put it all together.
Any help will be greatly appreciated.
[ October 24, 2002: Message edited by: Natasha Krasnov ]
21 years ago