struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eddie Bush <>
Subject Re: Logout in a container-managed security environment
Date Wed, 25 Sep 2002 15:19:22 GMT
There are *many* posts on precisely how CMA works on this list and on 
others (tomcat-user being one).  I'll give a quick overview and you can 
STMA for additional comments.

    - login forced when user request restricted resource
    - forwards to request resource on authentication
    - shows error page on failed authentication
    - unable to directly implement a "let-based" login
        - CMA login form may not be called directly
        - CMA login form only invoked when restricted resource is requested

You *can* work-around the "force-based" login, and provide a redirect to 
wherever you wish in the process.  What I have done to implement this is:
    - Two login forms
        - one submits to j_security_check
            - NEVER call this form directly!  ONLY The container may 
invoke it!
            - grabs credentials out of session and fills out form
            - contains javascript for auto-submit if required data present
        - one submits to a struts action (non-restricted)
            - copies request parameters to session
            - REDIRECTS to a restricted redirect action
    - Call the non-CMA form directly
    - User submits form/Action does it's thing
    - Redirect action is restricted, so it invokes CMA login form
    - Once authenticated the user goes to the Redirect action
        - cleans up the session (remove credentials we put there 
earlier) , if present
        - grabs a parameter indicating the path to redirect to
        - redirects the user


It's absolutely *essential* to have redirects where I specified (in 
contrast to forwards), as you will not acheive the desired behavior 
(invoking CMA) if you do not.  The specification allows you to forward 
anywhere you want to without the container caring where you are 
forwarding to (this is why you can put your pages under WEB-INF).

The end result is that if you wish to "let" your users login before 
requesting a restricted resource, you can.  If they don't, and they 
access a restricted resource, they are prompted to.  It's really not 
that bad :-)

Mohan Radhakrishnan wrote:

>       I am not sure how Container-managed login security will affect Struts
>loginform and loginaction. How do you forward to the main screen after login
>in this case?

Eddie Bush

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message