You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Piero Sartini <li...@pierosartini.de> on 2007/02/08 18:21:05 UTC
Authentication / RolesInterceptor
Hello List,
i try figuring out how security will work with struts2. I have an EJB3
application - the frontend will be written using s2.
I added the RolesInterceptor to an action:
----- code ----
<interceptor-ref name="roles">
<param name="allowedRoles">portalUser</param>
</interceptor-ref>
----- code ----
Accessing this action does give me a 403 - thats ok, because I am not logged
in. But how do I login?
My web.xml looks like that:
----- code ----
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyCustomRealm</realm-name>
<form-login-config>
<form-login-page>/Login_input.action</form-login-page>
<form-error-page>/Login_error.action</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>registered portal user</description>
<role-name>portalUser</role-name>
</security-role>
----- code ----
is this correct? Is it even possible to use FORM-based authentication with
struts2? If not, could you please give me a hint how this will work?
Goal is that the user is presented with the login form if he is not
authenticated - if he logged in successfully within that form, the
intercepted action should continue.
Thanks in advance,
Piero
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Authentication / RolesInterceptor
Posted by Ian Roughley <ia...@fdar.com>.
Piero Sartini wrote:
> Am Donnerstag, 8. Februar 2007 schrieb Ian Roughley:
>
>> You probably don't need to send it to an action, you just need to render
>> the HTML form for authentication. So, login.jsp would suffice. As far
>> as s2 is concerned, authentication is completely external. The role
>> interceptor just uses the HttpServletRequest to obtain the roles that
>> the current user is logged in under.
>>
>
> If security is completely external, what is the Interceptor for?
Authentication is external - not security. The interceptor is there to
provide the users role (from authenticating) to the action, so the
action can use it to provide the security constraints that you want in
your application.
> Defining a
> SecurityConstraint in the web.xml file will prevent unauthorized access as
> well, wouldnt it?
Yes.
> (It seems to be the wrong way to me - I define the actions
> in struts.xml, I do not see the point to include them in web.xml as well for
> security)
>
It's all about options. I use the web.xml to secure directories, then
roles in the action / pages to provide finer level of control.
> But the interceptor just responds a 403 if the user is not authoriuzed - is
> there no possibility to present another action in this case (the login
> form?).
>
> Or do I misunderstand this whole thing completely?
>
> ----- code -----
> <security-constraint>
> <display-name>Constraint1</display-name>
> <web-resource-collection>
> <web-resource-name>profile</web-resource-name>
> <description>change user profile</description>
> <url-pattern>/EditProfile_input.action</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>HEAD</http-method>
> <http-method>PUT</http-method>
> <http-method>OPTIONS</http-method>
> <http-method>TRACE</http-method>
> <http-method>DELETE</http-method>
> </web-resource-collection>
> <auth-constraint>
> <description/>
> <role-name>portalUser</role-name>
> </auth-constraint>
> </security-constraint>
> ---- code -----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: Authentication / RolesInterceptor
Posted by Piero Sartini <li...@pierosartini.de>.
Am Donnerstag, 8. Februar 2007 schrieb Ian Roughley:
> You probably don't need to send it to an action, you just need to render
> the HTML form for authentication. So, login.jsp would suffice. As far
> as s2 is concerned, authentication is completely external. The role
> interceptor just uses the HttpServletRequest to obtain the roles that
> the current user is logged in under.
If security is completely external, what is the Interceptor for? Defining a
SecurityConstraint in the web.xml file will prevent unauthorized access as
well, wouldnt it? (It seems to be the wrong way to me - I define the actions
in struts.xml, I do not see the point to include them in web.xml as well for
security)
But the interceptor just responds a 403 if the user is not authoriuzed - is
there no possibility to present another action in this case (the login
form?).
Or do I misunderstand this whole thing completely?
----- code -----
<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>profile</web-resource-name>
<description>change user profile</description>
<url-pattern>/EditProfile_input.action</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>portalUser</role-name>
</auth-constraint>
</security-constraint>
---- code -----
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Authentication / RolesInterceptor
Posted by Ian Roughley <ia...@fdar.com>.
You probably don't need to send it to an action, you just need to render
the HTML form for authentication. So, login.jsp would suffice. As far
as s2 is concerned, authentication is completely external. The role
interceptor just uses the HttpServletRequest to obtain the roles that
the current user is logged in under.
/Ian
Piero Sartini wrote:
> Hello List,
>
> i try figuring out how security will work with struts2. I have an EJB3
> application - the frontend will be written using s2.
>
> I added the RolesInterceptor to an action:
> ----- code ----
> <interceptor-ref name="roles">
> <param name="allowedRoles">portalUser</param>
> </interceptor-ref>
> ----- code ----
>
> Accessing this action does give me a 403 - thats ok, because I am not logged
> in. But how do I login?
>
> My web.xml looks like that:
> ----- code ----
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>MyCustomRealm</realm-name>
> <form-login-config>
> <form-login-page>/Login_input.action</form-login-page>
> <form-error-page>/Login_error.action</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <description>registered portal user</description>
> <role-name>portalUser</role-name>
> </security-role>
> ----- code ----
>
> is this correct? Is it even possible to use FORM-based authentication with
> struts2? If not, could you please give me a hint how this will work?
>
> Goal is that the user is presented with the login form if he is not
> authenticated - if he logged in successfully within that form, the
> intercepted action should continue.
>
> Thanks in advance,
> Piero
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org