You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Ho-Ki Au <ha...@oxygensoft.com> on 2002/09/06 01:44:28 UTC

how do I integrate struts with container managed security?

I read in the mail archive that it was possible to apply container managed
security on struts action.  Can someone give me an example on how this can
be done?
I have a servlet-mapping like this:
<servlet-mapping>
  <servlet-name>action</servlet-name>
  <url-pattern>*.do</url-pattern>
</servlet-mapping>

and I would like to trigger a container-managed login whenever an action is
done.  Please help.
-hoki


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: how do I integrate struts with container managed security?

Posted by Phil Steitz <ph...@steitz.com>.

Ho-Ki Au wrote:
> I read in the mail archive that it was possible to apply container managed
> security on struts action.  Can someone give me an example on how this can
> be done?
> I have a servlet-mapping like this:
> <servlet-mapping>
>   <servlet-name>action</servlet-name>
>   <url-pattern>*.do</url-pattern>
> </servlet-mapping>
> 
> and I would like to trigger a container-managed login whenever an action is
> done.  Please help.
> -hoki
> 

Hoki,

The key thing to understand is that struts actions invoked by URL's can
be protected like any other URL resource using container-managed
security.  Check out
http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html for a
nice description of how to set up container-managed security using
Tomcat 4.0.

Here is a very simple example using struts 1.02.  In this example,
actions requiring authentication have /a/ at the start of their paths,
others do not. The URL request to the protected resource forces a login.
The constraint below forces *everything* (including HTML pages, jsps)
down the /a/ path to be authenticated.  If you want to protect just the
actions, you need to modify the security constraint.


In web.xml:

<!-- Security Constraints -->
    <security-constraint>
      <web-resource-collection>
     <web-resource-name>Secure Area</web-resource-name>
     <url-pattern>/a/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
     <role-name>administrator</role-name>
     <role-name>reader</role-name>
      </auth-constraint>
    </security-constraint>


In struts-config:

      <!-- Register reader **non-authenticated action** -->
      <action path="/register"
         type="com.steitz.library.SaveReaderAction"
              name="readerForm"
              scope="request"
              input="/Register.jsp">
         <forward name="success" path="/welcome.html"/>
              <forward name="error" path="/registrationError.jsp"/>
              <forward name="cancel" path="/registrationCancel.jsp"/>ls
      </action>

   <!-- Edit book (Update or Create) **action requires authentication** -->
      <action path="/a/editBook"
         type="com.steitz.library.EditBookAction"
              name="bookForm"
              scope="request"
         input="/a/book.jsp"
         validate="false">
         <forward name="success" path="/a/editBook.jsp"/>
      </action>

hth,

Phil

 >
 > -- To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
 > For additional commands, e-mail:
<ma...@jakarta.apache.org>
 >




> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
> 




--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>