struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael" <mich...@idtect.com>
Subject RE: How can I make my logout page not secure?
Date Mon, 23 Sep 2002 12:20:13 GMT
The way container managed security works, is if you click logout, you
have to login in and then it's too late to change the target (which is
the logout page).


> -----Original Message-----
> From: Cliff Rowley [mailto:cliff@onsea.net] 
> Sent: lundi 23 septembre 2002 13:08
> To: 'Struts Users Mailing List'
> Subject: RE: How can I make my logout page not secure?
> 
> 
> Then surely it'd work properly?  If the user is logged in, 
> the logout wont be protected and it can log them out along 
> the way .. If they're not logged in, they'll get thrown a 
> login screen .. Right?
> 
> >-----Original Message-----
> >From: Andrew Hill [mailto:andrew.david.hill@gridnode.com]
> >Sent: 23 September 2002 12:01
> >To: Struts Users Mailing List
> >Subject: RE: How can I make my logout page not secure?
> >
> >
> >Perhaps his login & logout are the same action both forwarding
> >to the login screen, and if already logged in, logging out 
> >along the way?
> >
> >-----Original Message-----
> >From: Cliff Rowley [mailto:cliff@onsea.net]
> >Sent: Monday, September 23, 2002 18:54
> >To: 'Struts Users Mailing List'
> >Subject: RE: How can I make my logout page not secure?
> >
> >
> >Out of pure interest, why do you want logout unprotected?
> >People who are logged out wont need to log out, will they?
> >
> >>-----Original Message-----
> >>From: Michael [mailto:michael@idtect.com]
> >>Sent: 23 September 2002 09:40
> >>To: struts-user@jakarta.apache.org
> >>Subject: How can I make my logout page not secure?
> >>
> >>
> >>I'm using J2EE container managed security (in Tomcat).  I set
> >up a rule
> >>to protect all *.do actions.  The problem is my logout.do is
> >protected
> >>as well!
> >>
> >>In my web.xml I have:
> >>
> >>  <security-constraint>
> >>    <web-resource-collection>
> >>      <web-resource-name>All DO</web-resource-name>
> >>      <url-pattern>*.do</url-pattern>
> >>      <http-method>GET</http-method>
> >>      <http-method>POST</http-method>
> >>    </web-resource-collection>
> >>    <auth-constraint>
> >>      <role-name>*</role-name>
> >>    </auth-constraint>
> >>  </security-constraint>
> >>
> >>And then I use struts to set the security roles for each action.
> >>Although my logout action doesn't have any security roles, 
> the above 
> >>config in the web.xml requires a user to be authenticated before 
> >>executing an action.
> >>
> >>What can I do to unprotect my logout action?
> >>
> >>
> >>
> >>--
> >>To unsubscribe, e-mail:
> >><mailto:struts-user->unsubscribe@jakarta.apache.org>
> >>For
> >>additional commands,
> >>e-mail: <mailto:struts-user-help@jakarta.apache.org>
> >>
> >>
> >
> >
> >--
> >To unsubscribe, e-mail:
> ><mailto:struts-user->unsubscribe@jakarta.apache.org>
> >For 
> >additional commands, 
> >e-mail: <mailto:struts-user-help@jakarta.apache.org>
> >
> >
> >--
> >To unsubscribe, e-mail:   
> ><mailto:struts-user->unsubscribe@jakarta.apache.org>
> >For
> >additional commands, 
> >e-mail: <mailto:struts-user-help@jakarta.apache.org>
> >
> >
> 
> 
> --
> To unsubscribe, e-mail:   
> <mailto:struts-user-> unsubscribe@jakarta.apache.org>
> For 
> additional commands, 
> e-mail: <mailto:struts-user-help@jakarta.apache.org>
> 


--
To unsubscribe, e-mail:   <mailto:struts-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:struts-user-help@jakarta.apache.org>


Mime
View raw message