Hello all,
This is my attempt on using SecurityFilter + JDBCRealm for
Authenticating a Struts Application.
If it works, I will post a simple howto to help other folks with the
same difficulties on my school webpage.
So I appreciate all the input, opinions and help that anyone can give me
on the following issues as well as
my configuration so far.
For what I can see on the examples that come bundled with SecurityFilter
2.0 the Catalina Realm can be declared inside
the securityfilter-config.xml.
Hence If I put my database information and use a JDBCRealm it shoud work
with the database authentication as well.
So if I add the following on my securityfilter-config.xml:
*<Realm*
className="org.apache.catalina.realm.JDBCRealm"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://localhost:3306/antunes"
connectionName="antunes"
connectionPassword="antunes"
userTable="tbl_user" userNameCol="Name" userCredCol="Passwd"
userRoleTable="tbl_roles" roleNameCol="Role" */>*
Question: Shall I remove all the <realm classname="....."/> tags from
my Tomcat server.xml so that they get overriden by this one on the
securityfilter-config.xml? Or will they get overriden no matter what?
Question: Shall I add the Catalina realm adapter on my
securityfilter-config.xml as well? Say something like the following:
*<Realm *className="org.securityfilter.realm.catalina.CatalinaRealmAdapter" */>
*
I guess this one should be done before the JDBCRealm Realm, correct?
Then specify within the same /WEB-INF/securityfilter-config.xml the
<login-config> tag as follows:
*<login-config>*
*<auth-method>*FORM*</auth-method>*
*<realm-name>*Name*</realm-name>*
*<form-login-config>*
*<form-login-page>*/login.jsp*</form-login-page>*
*<form-error-page>*/error.jsp*</form-error-page>*
*</form-login-config>*
*</login-config>*
Question: What shall I specify on the <realm-name> tag or shall I leave
it blank or remove it?
I can then protect my JSPs within the securityfilter-config.xml as follows:
The first one allows users with a Role of a "participant" as well as an
administrative user with "admin" role to access /participants.jsp.
The second security constraint allows for administrative users only to
access admin.jsp. Both require SSL by specifing CONFIDENTIAL
on the <transport-guarantee> user data constraint tag.
*security-constraint>*
*<web-resource-collection>*
*<web-resource-name>*Participants*</web-resource-name>*
*<url-pattern>*/participants.jsp*</url-pattern>*
*</web-resource-collection>*
*<auth-constraint>*
*<role-name>*participant*</role-name>*
*</auth-constraint>*
*<auth-constraint>*
*<role-name>*admin*</role-name>*
*</auth-constraint>*
*<user-data-constraint>*
*<transport-guarantee>*CONFIDENTIAL*</transport-guarantee>*
*</user-data-constraint>*
*</security-constraint>*
*<security-constraint>*
*<web-resource-collection>*
*<web-resource-name>*Admin*</web-resource-name>*
*<url-pattern>*/admin.jsp*</url-pattern>*
*</web-resource-collection>*
*<auth-constraint>*
*<role-name>*admin*</role-name>*
*</auth-constraint>*
*<user-data-constraint>*
*<transport-guarantee>*CONFIDENTIAL*</transport-guarantee>*
*</user-data-constraint>*
*</security-constraint>*
Now, regarding the login.jsp. The example on the SecurityFilter uses
custom Constants from a class org.securityfilter.example.Constants.
This is a class that defines static final String constants, nothing more
as far as the code shows.
Those are:
LOGIN_FORM_ID. By looking at the class it is a String of value "loginform".
LOGIN_USERNAME_FIELD. It is actually j_username which is what you are
supposed to use for Container Authentication.
LOGIN_PASSWORD_FIELD = j_password.
LOGIN_REMEMBERME_FIELD = j_rememberme.
Question:
SecurityFilter than expects that you use a login form with the standard
Container Authentication field names like j_username, j_password. Is
this correct?
Final question: As far as verifying the user is authorized to access an
URL based on its security role and profile besides what says in the
securityfilter-config.xml
shall I use a Servlet Filter to verify the user and then forward he/she
to a page if he or she does not have access to that URL or JSP page?
Thanks in advance!
C.F.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
