You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "Surendran, Vinoth" <Vi...@in.standardchartered.com> on 2007/08/18 09:05:01 UTC

Security Propogation works fine in TOMCAT Server but not in the WebSphere Applciation Server v6.1

Hi ,

 I am newbie to Struts 2 , require urgent assistance on the below issue.

 

Issue:

-----

 I want to secure my web application using Container managed security by
using Websphere Application Server6.1. Secured all the URLs by placing a
security constraint and map the relevent users/groups in my web.xml.But
the security credentials are not propogated to the Filter class.Where as
the same works 100% fine in TOMCAT server.

 

 

Environment

-----------

Websphere Application Server6.1

Struts2.0.9

Rational Application Developer7

 

 

Problem Description

--------------------

 

After configuring all container managed security we were able to get the
security credentials  like remoteUser in JSP.But when the form is
submitted to the action class by having the Filter as a controller we
are not able to get the remoteUser by calling request.getRemoteUser() at
the Action .

Wat we inferred is that the Userprinpical context in the request
parameter is not available at the Filter.

 

Below are the entries which we have in web.xml

      <security-constraint>

            <display-name>

            secconst12</display-name>

            <web-resource-collection>

                  <web-resource-name>secweb1234</web-resource-name>

                  <url-pattern>*.action</url-pattern>

                  <url-pattern>/*</url-pattern>

                  <url-pattern>*</url-pattern>

                  <http-method>GET</http-method>

                  <http-method>PUT</http-method>

                  <http-method>HEAD</http-method>

                  <http-method>TRACE</http-method>

                  <http-method>POST</http-method>

                  <http-method>DELETE</http-method>

                  <http-method>OPTIONS</http-method>

            </web-resource-collection>

            <auth-constraint>

                  <description>

                  secAuthConst12</description>

                  <role-name>secrole12</role-name>

            </auth-constraint>

      </security-constraint>

      <login-config>

            <auth-method>BASIC</auth-method>

            <realm-name>DirRealm</realm-name>

      </login-config>

      <security-role>

            <role-name>secrole12</role-name>

      </security-role>

 

 

Below are the steps we tried.

Approach 1

 

1) Having a Servlet as a controller.(Submit the jsp form to a Servlet)

      1)When we have the following in web.xml

            <servlet>

                  <description></description>

                  <display-name>SampleServletController</display-name>

                  <servlet-name>SampleServletController</servlet-name>

 
<servlet-class>com.scb.mbp.action.SampleServletController</servlet-class
>

            </servlet>

            <servlet-mapping>

                  <servlet-name>SampleServletController</servlet-name>

                  <url-pattern>*.action</url-pattern>

            </servlet-mapping>

      2) When we call the request.getRemoteUser() in the servlet's
doPost method we can able to get the remoteUser name.

Output

 

This approach works fine in both ApacheTomacat6.0.14 and Websphere
Application Server6.1. (ie) we can able to get the remoteUser in
servlet's doPost() method.

 

Approach 2

 

2) Having a Servlet Filter as a controller.(Submit the form to a Servlet
Filter)

      1)When we have the following in web.xml

            <filter>

                  <description></description>

                  <display-name>SampleFilterController</display-name>

                  <filter-name>SampleFilterController</filter-name>

 
<filter-class>com.scb.mbp.action.SampleFilterController</filter-class>

            </filter>

            <filter-mapping>

                  <filter-name>SampleFilterController</filter-name>

                  <url-pattern>*.action</url-pattern>

            </filter-mapping>

Output

      1) In Apcahe Tomcat 6.0.14 when we call the
request.getRemoteUser() in the Filter's doFilter method we got the
remoteUser name.

      2) In Websphere Application Server 6.1 when we call the
request.getRemoteUser() in the Filter's doFilter method we got null.

 

 

The above scenarios clearly flags that the application works fine in
TOMCAT and doesn't in the WebSphere Application Server. Plesae let us
know wat would be required to be done to make it work in WebSphere
Application Server v6.1.

 

Regards,

Vinoth

 

 

This email is confidential. If you are not the addressee tell the sender immediately and destroy this email
without using, sending or storing it. Emails are not secure and may suffer errors, viruses, delay,
interception and amendment. Standard Chartered PLC and subsidiaries ("SCGroup") do not accept liability for
damage caused by this email and may monitor email traffic.