struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carl <>
Subject Re: How to create a "No Action" ActionForward
Date Mon, 23 Feb 2004 09:00:38 GMT
By integarting with struts, I mean to have a loginAction witch fill the 
session with data about the logged user.

I can't see how to manage that with classic j_security_check.



Adam Hardy wrote:

> Not having any roles effectively means from the container managed 
> security point of view that you have only one role.
> What problems did you have 'integrating' the container security? As far 
> as your app is concerned, j_security_check is not something that is 
> relevant. The whole login should be transparent to your app. As long as 
> you map the security constraints correctly, the user will never see a 
> protected page unless they login.
> Adam
> On 02/23/2004 08:54 AM Carl wrote:
>> I've faced the same issue too. (using tomcat)
>> To solve it I've found 2 options :
>> - implement a filter witch intercept each request an redirect if 
>> needed to the struts login action. It allow a good interaction with 
>> struts but no securty by container.
>> - use the container : I do that by adding a CUSTOM login scheme along 
>> BASIC & FORM in 
>> It's like the filter solution but use roles and the security is 
>> managed by the security constrains defined in web.xml. For now my 
>> CUSTUM login is similar to the FORM login, so it's not intergrated 
>> with struts, but I've planned to modify it soon.
>> This second solution need too to define a Realm in <Context> :
>>     <Realm className="org.apache.catalina.realm.JAASRealm"            
>>     appName="catalogue"
>>     userClassNames="com.asserina.atypone.catalogue.impl.ClientImpl"
>>     roleClassNames="com.asserina.atypone.catalogue.Role" />
>> (I'm using JAAS)
>> To conclude I would say that the second option is far more powerfull 
>> and addaptable to specific needs however you have too look close to :
>> JAAS, custom Realm, and is tide to your 
>> container (for me Tomcat)
>> Let me know if you find quiker or simpler solutions,
>> Regards,
>> Carl
>> Jacqueline Gomes wrote:
>>> Hi James,
>>> I was also trying to do the same thing, however, we are using JRun 
>>> and we don't have any user 'roles'. Specifically, I wanted the 
>>> container to do the authorisation i.e if a user tried to access any 
>>> pages after <blah blah>/admin/* then they would be redirected to the 
>>> login page if they have not logged in.  However, the application does 
>>> not have any 'roles' as such. The user is authenticated by calling a 
>>> stored procedure in the dbase.
>>> I tried to implement the j_security_check also but was having a tough 
>>> time integrating it with the actionform etc.
>>> Do you have any ideas as to how I would do this given that I don't 
>>> have any user roles in the application?  I was going to add a 'user' 
>>> object in the session and check on each page if it exists. If it 
>>> doesn't then redirect the user back to the login page.  I have set 
>>> the session.setMaxInactiveInterval(72000);
>>> Any help would be appreciated.
>>> Thanks, Jackie.
>>> -----Original Message-----
>>> From: James Adams []
>>> Sent: Monday, 23 February 2004 4:43 AM
>>> To: Struts Mailing List
>>> Subject: Re: How to create a "No Action" ActionForward
>>> I think Srikanth has hit the nail on the head, in that
>>> I am not fully utilizing what is already available
>>> with vanilla J2EE, namely security roles,
>>> authorization constraints, and error pages, all of
>>> which I can declare in the deployment descriptor of my
>>> web app.  But I still want to use a Struts component
>>> for the authentication instead of a more traditional
>>> form-based authentication scheme.
>>> Let me outline below what is, I think, a much better
>>> approach and kindly ask for comments, as I'm not
>>> certain that this will work or if it's actually the
>>> smartest way to go.
>>> I would like to use a Struts Action class to handle my
>>> login form, instead of vanilla form-based
>>> authentication, i.e. "j_security_check", for two
>>> reasons: 1) form-based authentication is not very
>>> secure since it passes the user name and password
>>> across the network in clear text, and 2) I want to use
>>> a LDAP server (within my login Action class) to do the
>>> authentication, and this would not be possible using
>>> plain form-based authentication.
>>> So the plan is to have a form in my Login.jsp with the
>>> form's action being the login Action class.  The login
>>> Action class will connect to the LDAP server and try
>>> to authenticate using the username and password
>>> supplied as form inputs.  If the authentication
>>> succeeds then the user's session is set with the
>>> user's role (also retrieved from the LDAP server), and
>>> then the control is forwarded to the first "logged in"
>>> welcome page.  If the authentication fails then the
>>> appropriate error message ("Login failed - try again")
>>> will be added to the ActionErrors and control is
>>> forwarded back to the login page, which will display
>>> the ActionError message via a <html:errors> tag, and
>>> allow the user to try again.
>>> In order to accomplish session authorization of a
>>> session for each *.jsp of the application I will
>>> declare a security constraint in the web.xml, like so:
>>> <security-constraint>
>>>     <web-resource-collection>
>>>         <web-resource-name>
>>>             Restricted Pages
>>>         </web-resource-name>
>>>         <url-pattern>*.jsp</url-pattern>
>>>     </web-resource-collection>
>>>     <auth-constraint>
>>>         <role-name>admin</role-name>
>>>         <role-name>customer</role-name>
>>>     </auth-constraint>
>>> </security-constraint>
>>> With the above I will get automatic checking of the
>>> user's role by the container at each access of any
>>> *.jsp, and anyone accessing a *.jsp without an
>>> appropriate role set in their session will not be
>>> allowed to access the page.  If the user is not in the
>>> appropriate role then I can forward to an error page
>>> by declaring an <error-page> in the deployment
>>> descriptor.
>>> The above authorization strategy takes care of what I
>>> was trying to accomplish with my SessionValidator
>>> Action class idea from before, which was to check for
>>> a "loggedIn" session attribute before allowing a user
>>> to continue with page processing.  In fact it is even
>>> better, in that it allows the flexibility of allowing
>>> different roles and authorization of pages based on
>>> roles and not just on a single "loggedIn" flag. I am not sure how I 
>>> will programmatically set the
>>> user's role in the login Action class execute()
>>> method.  Is it as simple as just setting a session
>>> attribute named "role" ?
>>> Thanks in advance for your insight.
>>> -James

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message