struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <>
Subject Re: How to create a "No Action" ActionForward
Date Mon, 23 Feb 2004 08:25:38 GMT
Not having any roles effectively means from the container managed 
security point of view that you have only one role.

What problems did you have 'integrating' the container security? As far 
as your app is concerned, j_security_check is not something that is 
relevant. The whole login should be transparent to your app. As long as 
you map the security constraints correctly, the user will never see a 
protected page unless they login.


On 02/23/2004 08:54 AM Carl wrote:
> I've faced the same issue too. (using tomcat)
> To solve it I've found 2 options :
> - implement a filter witch intercept each request an redirect if needed 
> to the struts login action. It allow a good interaction with struts but 
> no securty by container.
> - use the container : I do that by adding a CUSTOM login scheme along 
> BASIC & FORM in 
> It's like the filter solution but use roles and the security is managed 
> by the security constrains defined in web.xml. For now my CUSTUM login 
> is similar to the FORM login, so it's not intergrated with struts, but 
> I've planned to modify it soon.
> This second solution need too to define a Realm in <Context> :
>     <Realm className="org.apache.catalina.realm.JAASRealm"            
>     appName="catalogue"
>     userClassNames="com.asserina.atypone.catalogue.impl.ClientImpl"
>     roleClassNames="com.asserina.atypone.catalogue.Role" />
> (I'm using JAAS)
> To conclude I would say that the second option is far more powerfull and 
> addaptable to specific needs however you have too look close to :
> JAAS, custom Realm, and is tide to your 
> container (for me Tomcat)
> Let me know if you find quiker or simpler solutions,
> Regards,
> Carl
> Jacqueline Gomes wrote:
>> Hi James,
>> I was also trying to do the same thing, however, we are using JRun and 
>> we don't have any user 'roles'. 
>> Specifically, I wanted the container to do the authorisation i.e if a 
>> user tried to access any pages after <blah blah>/admin/* then they 
>> would be redirected to the login page if they have not logged in.  
>> However, the application does not have any 'roles' as such. The user 
>> is authenticated by calling a stored procedure in the dbase.
>> I tried to implement the j_security_check also but was having a tough 
>> time integrating it with the actionform etc.
>> Do you have any ideas as to how I would do this given that I don't 
>> have any user roles in the application?  I was going to add a 'user' 
>> object in the session and check on each page if it exists. If it 
>> doesn't then redirect the user back to the login page.  I have set the 
>> session.setMaxInactiveInterval(72000);
>> Any help would be appreciated.
>> Thanks, Jackie.
>> -----Original Message-----
>> From: James Adams []
>> Sent: Monday, 23 February 2004 4:43 AM
>> To: Struts Mailing List
>> Subject: Re: How to create a "No Action" ActionForward
>> I think Srikanth has hit the nail on the head, in that
>> I am not fully utilizing what is already available
>> with vanilla J2EE, namely security roles,
>> authorization constraints, and error pages, all of
>> which I can declare in the deployment descriptor of my
>> web app.  But I still want to use a Struts component
>> for the authentication instead of a more traditional
>> form-based authentication scheme.
>> Let me outline below what is, I think, a much better
>> approach and kindly ask for comments, as I'm not
>> certain that this will work or if it's actually the
>> smartest way to go.
>> I would like to use a Struts Action class to handle my
>> login form, instead of vanilla form-based
>> authentication, i.e. "j_security_check", for two
>> reasons: 1) form-based authentication is not very
>> secure since it passes the user name and password
>> across the network in clear text, and 2) I want to use
>> a LDAP server (within my login Action class) to do the
>> authentication, and this would not be possible using
>> plain form-based authentication.
>> So the plan is to have a form in my Login.jsp with the
>> form's action being the login Action class.  The login
>> Action class will connect to the LDAP server and try
>> to authenticate using the username and password
>> supplied as form inputs.  If the authentication
>> succeeds then the user's session is set with the
>> user's role (also retrieved from the LDAP server), and
>> then the control is forwarded to the first "logged in"
>> welcome page.  If the authentication fails then the
>> appropriate error message ("Login failed - try again")
>> will be added to the ActionErrors and control is
>> forwarded back to the login page, which will display
>> the ActionError message via a <html:errors> tag, and
>> allow the user to try again.
>> In order to accomplish session authorization of a
>> session for each *.jsp of the application I will
>> declare a security constraint in the web.xml, like so:
>> <security-constraint>
>>     <web-resource-collection>
>>         <web-resource-name>
>>             Restricted Pages
>>         </web-resource-name>
>>         <url-pattern>*.jsp</url-pattern>
>>     </web-resource-collection>
>>     <auth-constraint>
>>         <role-name>admin</role-name>
>>         <role-name>customer</role-name>
>>     </auth-constraint>
>> </security-constraint>
>> With the above I will get automatic checking of the
>> user's role by the container at each access of any
>> *.jsp, and anyone accessing a *.jsp without an
>> appropriate role set in their session will not be
>> allowed to access the page.  If the user is not in the
>> appropriate role then I can forward to an error page
>> by declaring an <error-page> in the deployment
>> descriptor.
>> The above authorization strategy takes care of what I
>> was trying to accomplish with my SessionValidator
>> Action class idea from before, which was to check for
>> a "loggedIn" session attribute before allowing a user
>> to continue with page processing.  In fact it is even
>> better, in that it allows the flexibility of allowing
>> different roles and authorization of pages based on
>> roles and not just on a single "loggedIn" flag. 
>> I am not sure how I will programmatically set the
>> user's role in the login Action class execute()
>> method.  Is it as simple as just setting a session
>> attribute named "role" ?
>> Thanks in advance for your insight.
>> -James

struts 1.1 + tomcat 5.0.16 + java 1.4.2
Linux 2.4.20 Debian

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message