struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dan C." <>
Subject Re: JAAS not working
Date Tue, 12 May 2009 13:51:42 GMT

Ok, I found the solution.. Actually another in house app had run into the
same problem.. Here is the solution for anyone else.. BTW: we eventually
found this issue by searching "declarative security 404".

             Instead of specifying an action as the form-login-page, a jsp
containing a client side redirect to  
             the action is used. The login action cannot be directly used as
the login page specified
             in the web.xml b/c both tomcat and jboss issue server transfers
(instead of client side redirects) to 
             redirect to the login page specified.  Since Struts 2 uses
filters, when the server transfer is made, 
             the struts 2 filter is not passed, and thus the .action urls
will not be found.  For more info, see
             the following: 
(GCUEVAS 8/19/08)

Here’s the meat of the referenced apache issue:

Using an action URI for web.xml declarative security results in a 404 "The
requested resource (/mywebapp/login.action) is not available message." on
Tomcat (both 5.5.x & 6.x). Representative XML configs below:


<action name="login">

Unfortunately it looks like the S2 architectural change from a Servlet to
Servlet Filters is the culprit. After digging through the tomcat 5.5.23
(also present in the most recent 6.0.13 release) code I've come to the
conclusion Struts2 actions CAN NOT be used for any of the common web.xml
descriptor elements (form-login-page, form-error-page, welcome-file?,
other?). Here's a snippet of the javadoc from
org.apache.catalina.core.ApplicationDispatcher's invoke method:

* <strong>IMPLEMENTATION NOTE</strong>: This implementation assumes that no
filters are applied to a forwarded or included resource, because they were
already done for the original request.

Since this worked in S1, I've opened this ticket as a BUG. The workaround I
received on the user list of doing an HTTP meta REFRESH works, but results
in screen flashing (even with a refresh of 0 seconds) and a poor user
experience. I'd GREATLY appreciate if one of the Struts developers had a
more elegant workaround suggestion. For example would it be feasible to port
FilterDispatcher to a servlet?

Dan C. wrote:
> Hi, I have an application we migrated to struts 2. We originally had
> oracle OAM for authentication but now we are going back to JAAS. We used
> JAAS on struts 1 and it work fine. I've added everything I need to in the
> web.xml but anytime I use a link that requires authentication I get a
> blank page and nothing in the logs(debugging is set to DEBUG). So, I
> decide to just create a small app that would redirect to a login page for
> testing and I got the same result..
> We are using oc4j and it worked with struts1 on oc4j. But, I also have a
> jboss version of the app and I get the same result
> Any help would be greatly appreciated..
> Dan
> One other thing. I know the j_security_check work because if I got
> directly to my login action and login the app authenticates correctly..
> The only problem is the redirect managed by JAAS to the login action page.
> Here is the web.xml
> <security-constraint>
>       <web-resource-collection>
>             <web-resource-name>Authentication Needed</web-resource-name>
>             <url-pattern>/</url-pattern>
>         </web-resource-collection>
>        <auth-constraint>
>             <role-name>privileged_user</role-name>
>         </auth-constraint>
>     </security-constraint>
>     <login-config>
>         <auth-method>FORM</auth-method>
>         <form-login-config>
>             <form-login-page>/</form-login-page>
>             <form-error-page>/</form-error-page>
>         </form-login-config>
>     </login-config>
>     <security-role>
>         <role-name>privileged_user</role-name>
>     </security-role>
> my struts config:
> <struts>
> 	<package name="jaastest-default-config" namespace="/"
> extends="struts-default,tiles-default">
> 	<!--  add the tile result type for this package -->
>     <default-interceptor-ref name="defaultStack"/>
>       <action name="homeAuth">
>             <result name="success">/WEB-INF/homeAuth.jsp</result>
>       </action>
>       <action name="login">
>       		<result name="success">/WEB-INF/login.jsp</result>          
>       </action>
>       <action name="home">
>           <result name="success">/WEB-INF/home.jsp</result>          
>       </action>
> 	</package>
> </struts>

View this message in context:
Sent from the Struts - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message