Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / General / July 2005

Tip: Looking for answers? Try searching our database.

integration between struts and servlet auth

Thread view: 
Enable EMail AlertsStart New Thread
tremalnaik@gmail.com - 29 Jul 2005 12:07 GMT
Hi everibody,
I'm using the ssl extension library for Struts (sslext) to switch
between encrypted and unencrypted pages in my webapp. Everything works
fine excerpt for the login page, which is handled by the servlet
authentication mechanism. Some excerpt from my config files follow:

------------ web.xml ------------------
 <security-constraint>
   <web-resource-collection>
     <web-resource-name>Protected actions and
pages</web-resource-name>
     <description>no description</description>
     <url-pattern>*.do</url-pattern>
     <url-pattern>/index.jsp</url-pattern>
   </web-resource-collection>
   <auth-constraint>
     <role-name>TestUser</role-name>
   </auth-constraint>
   <user-data-constraint>
     <transport-guarantee>NONE</transport-guarantee>
   </user-data-constraint>
 </security-constraint>

 <login-config>
     <auth-method>FORM</auth-method>
     <form-login-config>
       <form-login-page>/WEB-INF/jsp/logon/logon.jsp</form-login-page>

<form-error-page>/WEB-INF/jsp/logon/logonError.jsp</form-error-page>
     </form-login-config>
 </login-config>

 ------------ web.xml ------------------

 ------------- struts-config.xml ------------
 <action-mappings type="org.apache.struts.config.SecureActionConfig">
   <action forward="/WEB-INF/jsp/logon/logon.jsp" path="/logon" >
     <set-property property="secure" value="true"/>
   </action>
   <action input="page.clientHome" name="accountForm"
path="/openClient" scope="session"
type="com.ciccio.pasticcio.web.actions.OpenClientAction"
validate="true" >
     <set-property property="secure" value="false"/>
   </action>
 </action-mappings>
 .....
 <controller
processorClass="org.apache.struts.action.SecureTilesRequestProcessor"
/>
 <plug-in className="org.apache.struts.action.SecurePlugIn">
   <set-property property="httpPort" value="8080"/>
   <set-property property="httpsPort" value="8443"/>
   <set-property property="enable" value="true"/>
   <set-property property="addSession" value="false"/>
 </plug-in>
 ------------- struts-config.xml ------------

First I tried adding at the top of logon.jsp these lines:

<%@ taglib uri="/WEB-INF/tld/sslext.tld" prefix="sslext"%>
<sslext:pageScheme secure="true" />

but when I try to access a protected url (ie.
http://localhost:8080/testapp/openClient.do) I have an error:

'The requested resource (/testapp/WEB-INF/jsp/logon/logon.jsp) is not
available.'

So I got rid of the sslext tag and I modified the web.xml
<login-config> as

 <form-login-page>/logon.do</form-login-page>

Now encryption works and the logon page appears on a secure channel,
but when I push the form login button the user (while authenticated) is
not redirected to the original URL he has entered (openClient) but
remains in the login page. It seems the URL got lost by the container
because of the http -> https redirection.

I've tried with

   <action include="/WEB-INF/jsp/logon/logon.jsp" path="/logon" >

but the behaviour was not changing. I tested with IE 6.0 and Firefox
1.0.4

Can anyone help me?

TREMALNAIK
Reply to this Message
Andrew Thompson - 29 Jul 2005 12:20 GMT
> Hi everibody,
> I'm ..

..multi-posting.  Please refrain from doing so.
<http://www.physci.org/codes/javafaq.jsp#xpost>

Signature

Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
See You On Some Other Channel

Reply to this Message
tremalnaik@gmail.com - 29 Jul 2005 12:47 GMT
> ..multi-posting.  Please refrain from doing so.
> <http://www.physci.org/codes/javafaq.jsp#xpost>

Multiposting is when the number of reposting reaches the number of 3

TREMALNAIK
Reply to this Message
Andrew Thompson - 29 Jul 2005 13:21 GMT
>> ..multi-posting.  Please refrain from doing so.
>> <http://www.physci.org/codes/javafaq.jsp#xpost>
>
> Multiposting is when the number of reposting reaches the number of 3

- Got a reference for that?  My reference is RFC 1855,
Section 3.1.3 - 'Netnews Guidelines', points 1 and 5.
<http://www.physci.org/rfc/rfc1855.jsp#3_1_3>.
You might try reading that sometime (before you next
consider multi-posting to two or more groups).

- How am I supposed to know how many groups you have posted
to.  You made no reference to the other post(s) in any thread
I saw.  Loan me your crystal ball?

- Given the first point, why should I care how many groups
you have mutli-posted to?

But ultimately, it seems you are saying 'it is OK to waste
people's time, so long as it is only on two groups at a time'.

Does that sum up the way you see it?

Signature

Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
Known To Cause Insanity In Laboratory Mice

Reply to this Message
tremalnaik@gmail.com - 29 Jul 2005 13:42 GMT
> - Got a reference for that?  My reference is RFC 1855,
> Section 3.1.3 - 'Netnews Guidelines', points 1 and 5.
> <http://www.physci.org/rfc/rfc1855.jsp#3_1_3>.
> You might try reading that sometime (before you next
> consider multi-posting to two or more groups).

ok, I don't have any RFC to refer to, but in my opinion education is a
matter of opinion, not a RFC problem. I believe that waiting people
"behind a tree" to catch them doing something we consider wrong just
for the pleasure you get in complaining reveals some kind of pestilent
thinking. I believe I was not unpolite, neither if you look my posts in
the USENET you may say I ever committed some annoying action against
noone. I just posted my question in the Help group, then, I decided the
Programmer group was better, that's all. I don't think that my
beheavior caused the wasting of anyone precious time, as the offtopic
discussion in which we are involving. I apologize .

TREMALNAIK
Reply to this Message
Andrew Thompson - 29 Jul 2005 14:03 GMT
>> - Got a reference for that?  My reference is RFC 1855,
...
> ok, I don't have any RFC to refer to, ..

You can refer to the same one.  I sure don't 'own' it.
It was formulated long before I ever posted to the
usenet news groups.

>..but in my opinion education is a matter of opinion,

Who's.  Yours?

The prevailing opinion (by many contributors to the groups)
is that multi-posting is counter productive.

> ..I apologize .

..I do not feel you owe me (or anyone) an apology.

I would like to hear though, that you intend *not* to
multi-post in future.

Signature

Andrew Thompson
physci.org 1point1c.org javasaver.com lensescapes.com athompson.info
Featuring Gratuitous Alien Nudity

Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.