----- Original Message -----
From: "Joe Hertz" <[EMAIL PROTECTED]>
To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]>
Sent: Friday, August 27, 2004 3:28 PM
Subject: RE: Question about authentication
> My gripe with container managed authentication for Tomcat was the inability
> to have a login page I could show the user myself (it redirected the user to
> one, but showing one yourself wasn't possible). I would have used it myself
> if it did what I wanted. :-/
What's wrong with customizing your login page with container managed security??
I am going to do just that.
Here is what I am going to do, feedback welcome.
Since I am a bit short of time, I am not going to use servlet filter but
container managed security
Front page has login textfields, after validation through Action, pass user to path,
say, /do/Admin/*
or /do/User/*.
If user bookmark path to /do/Admin/* or /do/User/* and go there, return user to a
login page specifid a
page specified as below in web.xml
...
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/do/User/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/do/Admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/security/protected/login.jsp</form-login-page>
<form-error-page>/security/protected/error.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
Then do some tweaking as told in
C:\jakarta-tomcat-5.0.27\webapps\tomcat-docs\realm-howto.html
doc to use JDBCRealm.
Now can I specify 2 login pages, 1 in pretty home page, 1 in simple login JSP with only
2 textfields by using <form-login-page> in web.xml? If not, how can I do that?
Thanks
BTW, by using this approach, I see no need to store User bean in Session scope
for authentication, a method seemed to be widely used by others, right?
Unless I want to allow user to login and update their info.
And I see no need to use Action to check authentication before a life cycle
method (create, delete, update, read) is invoked on a business bean.
Sweeeet! Or is there any pitfall I should be aware of??
BTW, whats the con of using digested password? I mean why most ppl seem
to use BASIC authentication when it's not secure and use DIGEST only
if they have to.
Thanks
>
> Your point is bigger than Container Mangled Security though. I mean, why
> would people write in VB 6? It's not portable between OS'. Not everyone
> cares about that to the same degree.
>
> Everyone has code that they would have to rewrite something if an underlying
> assumption fails. For some people the assumption is their choice of servlet
> container being used.
>
> > -----Original Message-----
> > From: struts Dude [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, August 26, 2004 11:16 PM
> > To: Struts Users Mailing List
> > Subject: Re: Question about authentication
> >
> >
> > Thanks Joe. Geee I wander why someone would
> > advocate for container managed security since
> > it's not portable between servers.
> >
> > :D
> >
> >
> > ----- Original Message -----
> > From: "Joe Hertz" <[EMAIL PROTECTED]>
> > To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]>
> > Sent: Friday, August 27, 2004 3:02 PM
> > Subject: RE: Question about authentication
> >
> >
> > > Take a look at http://www.securityfilter.org
> > >
> > > > Can u show me some links of tutorial on how to authenticate
> > > > users using
> > > > servlet filter??
> > > >
> > > > I think servlet filter may be the most portable way for
> > > > authenticating user
> > > > since declarative authentication on web.xml is dependent
> > on Tomcat.
> > >
> > >
> > >
> > >
> > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
