These should go to your login action, not the page hidden under the WEB-INF
<form-login-page>/WEB-INF/pages/Login.jsp</form-login-page> <form-error-page>/WEB-INF/pages/error.jsp</form-error-page>
eg <form-login-page>/LoginFormAction.do</form-login-page>
Which should probably just forward to the /WEB-INF/pages/Login.jsp
struts Dude wrote:
SecurityFilter does it's check first because you will have the filter in web.xmlHi
Can someone give me a few pointers on using SecurityFilter with Struts? This can save me potentially hrs of debugging.
My securityfilter-config.xml is:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE securityfilter-config PUBLIC "-//SecurityFilter.org//DTD Security Filter Configuration 1.1//EN" "http://www.securityfilter.org/dtd/securityfilter-config_1_1.dtd";>
<securityfilter-config>
<security-constraint> <web-resource-collection> <web-resource-name>Admin Page</web-resource-name> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint>
<security-constraint> <web-resource-collection> <web-resource-name>User Page</web-resource-name> <url-pattern>/user/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint>
<login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/WEB-INF/pages/Login.jsp</form-login-page> <form-error-page>/WEB-INF/pages/error.jsp</form-error-page> <form-default-page>/index.jsp</form-default-page> </form-login-config> </login-config>
<realm className="app.IbatisSecurityRealm"> <realm-param name="exampleProperty" value="it works!" /> </realm>
</securityfilter-config>
Now my struts-config.xml has something like
<action path="/LogAction" type="app.LogAction" name="logonForm" scope="request" input="/WEB-INF/pages/Logon.jsp" parameter="action"
validate="false">
<forward
name="success"
path="/WEB-INF/pages/Welcome.jsp"/>
</action>
And the path of every action in struts-config.xml will be prefixed with either /admin/ or /user/ except for
those actions that forwards to Home page, login and
free info JSP page.
Now Login.jsp has a submit button that will invoke LogAction, which will put a User bean in Session once user is validated.
** Now according to document on SecurityFilter, SecurityFilter supports "unsolicited" login requests => when I press submit button on Login.jsp, is authentication by SecurityFilter class called first or authentication by LogAction called
first ???
<filter-mapping>
<filter-name>Security Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
So all requests will go through securtity filter first. The filter then looks for /admin/* etc in the url to decide if you need to be authenticated.
** Can I use Struts html tags in Logon.jsp to work with
SecurityFilter? E.g.
<html:form action="/LogAction" focus="j_username">
yes
** If authentication by SecurityFilter is processed first,Your action "LogAction" does not need authentication from what you have in your security filter config. You could change your action so it is something like this:
then I don't really need to authenticate user in LogAction
class but simply put User bean in Session, right ???
<action path="/user/LogAction"
or
<action path="/admin/LogAction"
Then you will have to go to /user/LogAction.do or /admin/LogAction.do, and security filter will make sure you are logged in or redirect you to the login form.
Yes. Perhaps you should redirect to LoginError.do instead and put the ActionError in there.Since SecurityFilter will do the authentication for me and direct page to error.jsp if validation failed.
** If validation fails, can I still queue error message (ActionError) in LogAction so that error.jsp will
display it?
Thanks
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Jason Lea
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
