You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by James Bell <ja...@eek.com> on 2001/04/01 12:48:02 UTC

Logon Dialog

All

I have protected my struts application with the following directives from
the web.xml file for the application (see below).  This works fine.  The
browser displays a popup alert requesting the authentication info.  I have
left the tomcat session timeout to it's default value (30 mins I think).  I
can program each page (via the template) in my application to check for the
existence of a attribute that the application establishes soon after logon
and then redirect the browser to the logon page  (logon.do).  If I try this
I get a 'request has already been committed' error.  I think the browser
does not know that the server session has been terminated.  What do I need
to do, so that the application forces the browser to re-authenticate the
user on session timeout?

<security-constraint>
  <web-resource-collection>
     <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>DELETE</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
  </web-resource-collection>
  <auth-constraint>
     <role-name>trader</role-name>
  </auth-constraint>
</security-constraint>
<login-config>
   <auth-method>BASIC</auth-method>
   <realm-name>Trader Realm</realm-name>
</login-config>

Re: Logon Dialog

Posted by Incze Lajos <in...@mail.matav.hu>.

On Sun, Apr 01, 2001 at 11:48:02AM +0100, James Bell wrote:
> All
> 
> I have protected my struts application with the following directives from
> the web.xml file for the application (see below).  This works fine.  The
> browser displays a popup alert requesting the authentication info.  I have
> left the tomcat session timeout to it's default value (30 mins I think).  I
> can program each page (via the template) in my application to check for the
> existence of a attribute that the application establishes soon after logon
> and then redirect the browser to the logon page  (logon.do).  If I try this
> I get a 'request has already been committed' error.  I think the browser
> does not know that the server session has been terminated.  What do I need
> to do, so that the application forces the browser to re-authenticate the
> user on session timeout?
> 
If you use container based authentication you don't need any on-page
checking you left this on the container. Especially is bad idea to redirect
to the login page as the container won't be able to figure out where
to forward after a successful login. Whenever a user session has timed out
the container will intercept the login method whatever URL would target
into the protected area.                                        incze