You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Michael <mi...@idtect.com> on 2002/09/23 10:40:29 UTC

How can I make my logout page not secure?

I'm using J2EE container managed security (in Tomcat).  I set up a rule
to protect all *.do actions.  The problem is my logout.do is protected
as well! 

In my web.xml I have:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>All DO</web-resource-name>
      <url-pattern>*.do</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>

And then I use struts to set the security roles for each action.
Although my logout action doesn't have any security roles, the above
config in the web.xml requires a user to be authenticated before
executing an action.

What can I do to unprotect my logout action?



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: How can I make my logout page not secure?

Posted by Bruce Geerdes <br...@sun.com>.

Michael wrote:

> I feel that the user should never get a login
> page when clicking on the logout link, and should never get the logout
> page when logging in.  Yet with container managed security protecting
> *.do this is exactly what happens.

Yes.  The answer is to not put a security constraint around "*.do".

What I did was put a security contraint around "/s/*" and then definte my
"secure" actions with that prefix ("/s/account.change.do", "/s/login.do",
etc.).  In your case, it sounds like that'd be every action except for logout,
but I had a number of other actions that I wanted accessible before login
(create new account, read marketing propaganda, etc.).

Bruce

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: How can I make my logout page not secure?

Posted by Cliff Rowley <cl...@onsea.net>.

Now that makes perfect sense.

>-----Original Message-----
>From: Michael [mailto:michael@idtect.com] 
>Sent: 23 September 2002 13:50
>To: 'Struts Users Mailing List'
>Subject: RE: How can I make my logout page not secure?
>
>
>Ok, let's make it really simple for those who skipped their breakfast:
>
>A user logs in, uses the site, and then goes to lunch.  Two 
>hours later (or 30 minutes if you're in the US) the user 
>returns and sees the website.  He clicks on the logout link.  
>He gets a login page.  He enters his user id and password, and 
>then sees the "You have logged out" page.
>
>I agree it is confusing.  I feel that the user should never 
>get a login page when clicking on the logout link, and should 
>never get the logout page when logging in.  Yet with container 
>managed security protecting *.do this is exactly what happens.
>
>Michael
>
>> -----Original Message-----
>> From: Cliff Rowley [mailto:cliff@onsea.net]
>> Sent: lundi 23 septembre 2002 14:42
>> To: 'Struts Users Mailing List'
>> Subject: RE: How can I make my logout page not secure?
>> 
>> 
>> Ok, I'm obviously missing a chunk of knowledge somewhere -
>> but if you're already logged out, why do you want to log in - 
>> in order to log out and then log in again?  Also, what is the 
>> impact of closing your browser and opening a new one?  Do you 
>> get a new session?
>> 
>> Sorry if I'm way out there with the fairies.
>> 
>> >-----Original Message-----
>> >From: Michael [mailto:michael@idtect.com]
>> >Sent: 23 September 2002 13:19
>> >To: 'Struts Users Mailing List'
>> >Subject: RE: How can I make my logout page not secure?
>> >
>> >
>> >I have the session serialization turned off and when I restart 
>> >tomcat, I have to log out and log back in.  But to log out, 
>I have to 
>> >log in first.
>> >
>> >> Out of pure interest, why do you want logout unprotected?
>> People who
>> >> are logged out wont need to log out, will they?
>> >
>> >
>> >
>> >--
>> >To unsubscribe, e-mail:   
>> ><ma...@jakarta.apache.org>
>> >For
>> >additional commands,
>> >e-mail: <ma...@jakarta.apache.org>
>> >
>> >
>> 
>> 
>> --
>> To unsubscribe, e-mail:   
>> <mailto:struts-user-> unsubscribe@jakarta.apache.org>
>> For
>> additional commands, 
>> e-mail: <ma...@jakarta.apache.org>
>> 
>
>
>--
>To unsubscribe, e-mail:   
><ma...@jakarta.apache.org>
>For 
>additional commands, 
>e-mail: <ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: How can I make my logout page not secure?

Posted by Cliff Rowley <cl...@onsea.net>.

Heh, I forgot to add emoticon to my message - I was also joking :)

>-----Original Message-----
>From: Michael [mailto:michael@idtect.com] 
>Sent: 23 September 2002 14:09
>To: 'Struts Users Mailing List'
>Subject: RE: How can I make my logout page not secure?
>
>
>> >Ok, let's make it really simple for those who skipped their
>> breakfast:
>> 
>> Let's try not to be condescending in the process though.
>
>It was a joke.  Are they only allowed on Friday's?
>
>
>
>--
>To unsubscribe, e-mail:   
><ma...@jakarta.apache.org>
>For 
>additional commands, 
>e-mail: <ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: How can I make my logout page not secure?

Posted by Michael <mi...@idtect.com>.

> >Ok, let's make it really simple for those who skipped their 
> breakfast:
> 
> Let's try not to be condescending in the process though.

It was a joke.  Are they only allowed on Friday's?



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: How can I make my logout page not secure?

Posted by Cliff Rowley <cl...@onsea.net>.


>-----Original Message-----
>From: Michael [mailto:michael@idtect.com] 
>Sent: 23 September 2002 13:50
>To: 'Struts Users Mailing List'
>Subject: RE: How can I make my logout page not secure?
>
>
>Ok, let's make it really simple for those who skipped their breakfast:

Let's try not to be condescending in the process though.


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: How can I make my logout page not secure?

Posted by Michael <mi...@idtect.com>.

Ok, let's make it really simple for those who skipped their breakfast:

A user logs in, uses the site, and then goes to lunch.  Two hours later
(or 30 minutes if you're in the US) the user returns and sees the
website.  He clicks on the logout link.  He gets a login page.  He
enters his user id and password, and then sees the "You have logged out"
page.

I agree it is confusing.  I feel that the user should never get a login
page when clicking on the logout link, and should never get the logout
page when logging in.  Yet with container managed security protecting
*.do this is exactly what happens.

Michael

> -----Original Message-----
> From: Cliff Rowley [mailto:cliff@onsea.net] 
> Sent: lundi 23 septembre 2002 14:42
> To: 'Struts Users Mailing List'
> Subject: RE: How can I make my logout page not secure?
> 
> 
> Ok, I'm obviously missing a chunk of knowledge somewhere - 
> but if you're already logged out, why do you want to log in - 
> in order to log out and then log in again?  Also, what is the 
> impact of closing your browser and opening a new one?  Do you 
> get a new session?
> 
> Sorry if I'm way out there with the fairies.
> 
> >-----Original Message-----
> >From: Michael [mailto:michael@idtect.com]
> >Sent: 23 September 2002 13:19
> >To: 'Struts Users Mailing List'
> >Subject: RE: How can I make my logout page not secure?
> >
> >
> >I have the session serialization turned off and when I restart
> >tomcat, I have to log out and log back in.  But to log out, I 
> >have to log in first.
> >
> >> Out of pure interest, why do you want logout unprotected? 
> People who 
> >> are logged out wont need to log out, will they?
> >
> >
> >
> >--
> >To unsubscribe, e-mail:   
> ><ma...@jakarta.apache.org>
> >For
> >additional commands, 
> >e-mail: <ma...@jakarta.apache.org>
> >
> >
> 
> 
> --
> To unsubscribe, e-mail:   
> <mailto:struts-user-> unsubscribe@jakarta.apache.org>
> For 
> additional commands, 
> e-mail: <ma...@jakarta.apache.org>
> 


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: How can I make my logout page not secure?

Posted by Cliff Rowley <cl...@onsea.net>.

Ok, I'm obviously missing a chunk of knowledge somewhere - but if you're
already logged out, why do you want to log in - in order to log out and
then log in again?  Also, what is the impact of closing your browser and
opening a new one?  Do you get a new session?

Sorry if I'm way out there with the fairies.

>-----Original Message-----
>From: Michael [mailto:michael@idtect.com] 
>Sent: 23 September 2002 13:19
>To: 'Struts Users Mailing List'
>Subject: RE: How can I make my logout page not secure?
>
>
>I have the session serialization turned off and when I restart 
>tomcat, I have to log out and log back in.  But to log out, I 
>have to log in first.
>
>> Out of pure interest, why do you want logout unprotected?
>> People who are logged out wont need to log out, will they?
>
>
>
>--
>To unsubscribe, e-mail:   
><ma...@jakarta.apache.org>
>For 
>additional commands, 
>e-mail: <ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: How can I make my logout page not secure?

Posted by Michael <mi...@idtect.com>.

I have the session serialization turned off and when I restart tomcat, I
have to log out and log back in.  But to log out, I have to log in
first.

> Out of pure interest, why do you want logout unprotected?  
> People who are logged out wont need to log out, will they?



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: How can I make my logout page not secure?

Posted by Andrew Hill <an...@gridnode.com>.

Well, not if its protected ;-)
Really I suspect he is meaning to say "login" rather than "logout" (would
certainly make a lot more sense that way).

-----Original Message-----
From: Cliff Rowley [mailto:cliff@onsea.net]
Sent: Monday, September 23, 2002 19:08
To: 'Struts Users Mailing List'
Subject: RE: How can I make my logout page not secure?


Then surely it'd work properly?  If the user is logged in, the logout
wont be protected and it can log them out along the way .. If they're
not logged in, they'll get thrown a login screen .. Right?

>-----Original Message-----
>From: Andrew Hill [mailto:andrew.david.hill@gridnode.com]
>Sent: 23 September 2002 12:01
>To: Struts Users Mailing List
>Subject: RE: How can I make my logout page not secure?
>
>
>Perhaps his login & logout are the same action both forwarding
>to the login screen, and if already logged in, logging out
>along the way?
>
>-----Original Message-----
>From: Cliff Rowley [mailto:cliff@onsea.net]
>Sent: Monday, September 23, 2002 18:54
>To: 'Struts Users Mailing List'
>Subject: RE: How can I make my logout page not secure?
>
>
>Out of pure interest, why do you want logout unprotected?
>People who are logged out wont need to log out, will they?
>
>>-----Original Message-----
>>From: Michael [mailto:michael@idtect.com]
>>Sent: 23 September 2002 09:40
>>To: struts-user@jakarta.apache.org
>>Subject: How can I make my logout page not secure?
>>
>>
>>I'm using J2EE container managed security (in Tomcat).  I set
>up a rule
>>to protect all *.do actions.  The problem is my logout.do is
>protected
>>as well!
>>
>>In my web.xml I have:
>>
>>  <security-constraint>
>>    <web-resource-collection>
>>      <web-resource-name>All DO</web-resource-name>
>>      <url-pattern>*.do</url-pattern>
>>      <http-method>GET</http-method>
>>      <http-method>POST</http-method>
>>    </web-resource-collection>
>>    <auth-constraint>
>>      <role-name>*</role-name>
>>    </auth-constraint>
>>  </security-constraint>
>>
>>And then I use struts to set the security roles for each action.
>>Although my logout action doesn't have any security roles, the above
>>config in the web.xml requires a user to be authenticated before
>>executing an action.
>>
>>What can I do to unprotect my logout action?
>>
>>
>>
>>--
>>To unsubscribe, e-mail:
>><ma...@jakarta.apache.org>
>>For
>>additional commands,
>>e-mail: <ma...@jakarta.apache.org>
>>
>>
>
>
>--
>To unsubscribe, e-mail:
><ma...@jakarta.apache.org>
>For
>additional commands,
>e-mail: <ma...@jakarta.apache.org>
>
>
>--
>To unsubscribe, e-mail:
><ma...@jakarta.apache.org>
>For
>additional commands,
>e-mail: <ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: How can I make my logout page not secure?

Posted by Andrew Hill <an...@gridnode.com>.

Yes, I think waiting for the original poster to clarify might be the most
practical course.

(A pity, as I had come up with a very sound reason for unprotectecting
logout that involved the RAND corporation, the CIA, a global conspiracy
involving Elvis & Beer.
(Well mostly just beer actually ;->.))

-----Original Message-----
From: Cliff Rowley [mailto:cliff@onsea.net]
Sent: Monday, September 23, 2002 19:14
To: 'Struts Users Mailing List'
Subject: RE: How can I make my logout page not secure?


I was just curious as to why someone would want the logout process
unprotected that was all - I didn't mean anything by it.  Perhaps we
should stop speculating and wait for the original poster to pipe up :)

>-----Original Message-----
>From: Cliff Rowley [mailto:cliff@onsea.net]
>Sent: 23 September 2002 12:08
>To: 'Struts Users Mailing List'
>Subject: RE: How can I make my logout page not secure?
>
>
>Then surely it'd work properly?  If the user is logged in, the
>logout wont be protected and it can log them out along the way
>.. If they're not logged in, they'll get thrown a login screen
>.. Right?
>
>>-----Original Message-----
>>From: Andrew Hill [mailto:andrew.david.hill@gridnode.com]
>>Sent: 23 September 2002 12:01
>>To: Struts Users Mailing List
>>Subject: RE: How can I make my logout page not secure?
>>
>>
>>Perhaps his login & logout are the same action both forwarding
>>to the login screen, and if already logged in, logging out
>>along the way?
>>
>>-----Original Message-----
>>From: Cliff Rowley [mailto:cliff@onsea.net]
>>Sent: Monday, September 23, 2002 18:54
>>To: 'Struts Users Mailing List'
>>Subject: RE: How can I make my logout page not secure?
>>
>>
>>Out of pure interest, why do you want logout unprotected?
>>People who are logged out wont need to log out, will they?
>>
>>>-----Original Message-----
>>>From: Michael [mailto:michael@idtect.com]
>>>Sent: 23 September 2002 09:40
>>>To: struts-user@jakarta.apache.org
>>>Subject: How can I make my logout page not secure?
>>>
>>>
>>>I'm using J2EE container managed security (in Tomcat).  I set
>>up a rule
>>>to protect all *.do actions.  The problem is my logout.do is
>>protected
>>>as well!
>>>
>>>In my web.xml I have:
>>>
>>>  <security-constraint>
>>>    <web-resource-collection>
>>>      <web-resource-name>All DO</web-resource-name>
>>>      <url-pattern>*.do</url-pattern>
>>>      <http-method>GET</http-method>
>>>      <http-method>POST</http-method>
>>>    </web-resource-collection>
>>>    <auth-constraint>
>>>      <role-name>*</role-name>
>>>    </auth-constraint>
>>>  </security-constraint>
>>>
>>>And then I use struts to set the security roles for each action.
>>>Although my logout action doesn't have any security roles, the above
>>>config in the web.xml requires a user to be authenticated before
>>>executing an action.
>>>
>>>What can I do to unprotect my logout action?
>>>
>>>
>>>
>>>--
>>>To unsubscribe, e-mail:
>>><ma...@jakarta.apache.org>
>>>For
>>>additional commands,
>>>e-mail: <ma...@jakarta.apache.org>
>>>
>>>
>>
>>
>>--
>>To unsubscribe, e-mail:
>><ma...@jakarta.apache.org>
>>For
>>additional commands,
>>e-mail: <ma...@jakarta.apache.org>
>>
>>
>>--
>>To unsubscribe, e-mail:
>><ma...@jakarta.apache.org>
>>For
>>additional commands,
>>e-mail: <ma...@jakarta.apache.org>
>>
>>
>
>
>--
>To unsubscribe, e-mail:
><ma...@jakarta.apache.org>
>For
>additional commands,
>e-mail: <ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: How can I make my logout page not secure?

Posted by Cliff Rowley <cl...@onsea.net>.

I was just curious as to why someone would want the logout process
unprotected that was all - I didn't mean anything by it.  Perhaps we
should stop speculating and wait for the original poster to pipe up :)

>-----Original Message-----
>From: Cliff Rowley [mailto:cliff@onsea.net] 
>Sent: 23 September 2002 12:08
>To: 'Struts Users Mailing List'
>Subject: RE: How can I make my logout page not secure?
>
>
>Then surely it'd work properly?  If the user is logged in, the 
>logout wont be protected and it can log them out along the way 
>.. If they're not logged in, they'll get thrown a login screen 
>.. Right?
>
>>-----Original Message-----
>>From: Andrew Hill [mailto:andrew.david.hill@gridnode.com]
>>Sent: 23 September 2002 12:01
>>To: Struts Users Mailing List
>>Subject: RE: How can I make my logout page not secure?
>>
>>
>>Perhaps his login & logout are the same action both forwarding
>>to the login screen, and if already logged in, logging out 
>>along the way?
>>
>>-----Original Message-----
>>From: Cliff Rowley [mailto:cliff@onsea.net]
>>Sent: Monday, September 23, 2002 18:54
>>To: 'Struts Users Mailing List'
>>Subject: RE: How can I make my logout page not secure?
>>
>>
>>Out of pure interest, why do you want logout unprotected?
>>People who are logged out wont need to log out, will they?
>>
>>>-----Original Message-----
>>>From: Michael [mailto:michael@idtect.com]
>>>Sent: 23 September 2002 09:40
>>>To: struts-user@jakarta.apache.org
>>>Subject: How can I make my logout page not secure?
>>>
>>>
>>>I'm using J2EE container managed security (in Tomcat).  I set
>>up a rule
>>>to protect all *.do actions.  The problem is my logout.do is
>>protected
>>>as well!
>>>
>>>In my web.xml I have:
>>>
>>>  <security-constraint>
>>>    <web-resource-collection>
>>>      <web-resource-name>All DO</web-resource-name>
>>>      <url-pattern>*.do</url-pattern>
>>>      <http-method>GET</http-method>
>>>      <http-method>POST</http-method>
>>>    </web-resource-collection>
>>>    <auth-constraint>
>>>      <role-name>*</role-name>
>>>    </auth-constraint>
>>>  </security-constraint>
>>>
>>>And then I use struts to set the security roles for each action.
>>>Although my logout action doesn't have any security roles, the above 
>>>config in the web.xml requires a user to be authenticated before 
>>>executing an action.
>>>
>>>What can I do to unprotect my logout action?
>>>
>>>
>>>
>>>--
>>>To unsubscribe, e-mail:
>>><ma...@jakarta.apache.org>
>>>For
>>>additional commands,
>>>e-mail: <ma...@jakarta.apache.org>
>>>
>>>
>>
>>
>>--
>>To unsubscribe, e-mail:
>><ma...@jakarta.apache.org>
>>For 
>>additional commands, 
>>e-mail: <ma...@jakarta.apache.org>
>>
>>
>>--
>>To unsubscribe, e-mail:   
>><ma...@jakarta.apache.org>
>>For
>>additional commands, 
>>e-mail: <ma...@jakarta.apache.org>
>>
>>
>
>
>--
>To unsubscribe, e-mail:   
><ma...@jakarta.apache.org>
>For 
>additional commands, 
>e-mail: <ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: How can I make my logout page not secure?

Posted by Michael <mi...@idtect.com>.

The way container managed security works, is if you click logout, you
have to login in and then it's too late to change the target (which is
the logout page).


> -----Original Message-----
> From: Cliff Rowley [mailto:cliff@onsea.net] 
> Sent: lundi 23 septembre 2002 13:08
> To: 'Struts Users Mailing List'
> Subject: RE: How can I make my logout page not secure?
> 
> 
> Then surely it'd work properly?  If the user is logged in, 
> the logout wont be protected and it can log them out along 
> the way .. If they're not logged in, they'll get thrown a 
> login screen .. Right?
> 
> >-----Original Message-----
> >From: Andrew Hill [mailto:andrew.david.hill@gridnode.com]
> >Sent: 23 September 2002 12:01
> >To: Struts Users Mailing List
> >Subject: RE: How can I make my logout page not secure?
> >
> >
> >Perhaps his login & logout are the same action both forwarding
> >to the login screen, and if already logged in, logging out 
> >along the way?
> >
> >-----Original Message-----
> >From: Cliff Rowley [mailto:cliff@onsea.net]
> >Sent: Monday, September 23, 2002 18:54
> >To: 'Struts Users Mailing List'
> >Subject: RE: How can I make my logout page not secure?
> >
> >
> >Out of pure interest, why do you want logout unprotected?
> >People who are logged out wont need to log out, will they?
> >
> >>-----Original Message-----
> >>From: Michael [mailto:michael@idtect.com]
> >>Sent: 23 September 2002 09:40
> >>To: struts-user@jakarta.apache.org
> >>Subject: How can I make my logout page not secure?
> >>
> >>
> >>I'm using J2EE container managed security (in Tomcat).  I set
> >up a rule
> >>to protect all *.do actions.  The problem is my logout.do is
> >protected
> >>as well!
> >>
> >>In my web.xml I have:
> >>
> >>  <security-constraint>
> >>    <web-resource-collection>
> >>      <web-resource-name>All DO</web-resource-name>
> >>      <url-pattern>*.do</url-pattern>
> >>      <http-method>GET</http-method>
> >>      <http-method>POST</http-method>
> >>    </web-resource-collection>
> >>    <auth-constraint>
> >>      <role-name>*</role-name>
> >>    </auth-constraint>
> >>  </security-constraint>
> >>
> >>And then I use struts to set the security roles for each action.
> >>Although my logout action doesn't have any security roles, 
> the above 
> >>config in the web.xml requires a user to be authenticated before 
> >>executing an action.
> >>
> >>What can I do to unprotect my logout action?
> >>
> >>
> >>
> >>--
> >>To unsubscribe, e-mail:
> >><ma...@jakarta.apache.org>
> >>For
> >>additional commands,
> >>e-mail: <ma...@jakarta.apache.org>
> >>
> >>
> >
> >
> >--
> >To unsubscribe, e-mail:
> ><ma...@jakarta.apache.org>
> >For 
> >additional commands, 
> >e-mail: <ma...@jakarta.apache.org>
> >
> >
> >--
> >To unsubscribe, e-mail:   
> ><ma...@jakarta.apache.org>
> >For
> >additional commands, 
> >e-mail: <ma...@jakarta.apache.org>
> >
> >
> 
> 
> --
> To unsubscribe, e-mail:   
> <mailto:struts-user-> unsubscribe@jakarta.apache.org>
> For 
> additional commands, 
> e-mail: <ma...@jakarta.apache.org>
> 


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: How can I make my logout page not secure?

Posted by Cliff Rowley <cl...@onsea.net>.

Then surely it'd work properly?  If the user is logged in, the logout
wont be protected and it can log them out along the way .. If they're
not logged in, they'll get thrown a login screen .. Right?

>-----Original Message-----
>From: Andrew Hill [mailto:andrew.david.hill@gridnode.com] 
>Sent: 23 September 2002 12:01
>To: Struts Users Mailing List
>Subject: RE: How can I make my logout page not secure?
>
>
>Perhaps his login & logout are the same action both forwarding 
>to the login screen, and if already logged in, logging out 
>along the way?
>
>-----Original Message-----
>From: Cliff Rowley [mailto:cliff@onsea.net]
>Sent: Monday, September 23, 2002 18:54
>To: 'Struts Users Mailing List'
>Subject: RE: How can I make my logout page not secure?
>
>
>Out of pure interest, why do you want logout unprotected?  
>People who are logged out wont need to log out, will they?
>
>>-----Original Message-----
>>From: Michael [mailto:michael@idtect.com]
>>Sent: 23 September 2002 09:40
>>To: struts-user@jakarta.apache.org
>>Subject: How can I make my logout page not secure?
>>
>>
>>I'm using J2EE container managed security (in Tomcat).  I set 
>up a rule 
>>to protect all *.do actions.  The problem is my logout.do is 
>protected 
>>as well!
>>
>>In my web.xml I have:
>>
>>  <security-constraint>
>>    <web-resource-collection>
>>      <web-resource-name>All DO</web-resource-name>
>>      <url-pattern>*.do</url-pattern>
>>      <http-method>GET</http-method>
>>      <http-method>POST</http-method>
>>    </web-resource-collection>
>>    <auth-constraint>
>>      <role-name>*</role-name>
>>    </auth-constraint>
>>  </security-constraint>
>>
>>And then I use struts to set the security roles for each action. 
>>Although my logout action doesn't have any security roles, the above 
>>config in the web.xml requires a user to be authenticated before 
>>executing an action.
>>
>>What can I do to unprotect my logout action?
>>
>>
>>
>>--
>>To unsubscribe, e-mail: 
>><ma...@jakarta.apache.org>
>>For
>>additional commands,
>>e-mail: <ma...@jakarta.apache.org>
>>
>>
>
>
>--
>To unsubscribe, e-mail: 
><ma...@jakarta.apache.org>
>For 
>additional commands, 
>e-mail: <ma...@jakarta.apache.org>
>
>
>--
>To unsubscribe, e-mail:   
><ma...@jakarta.apache.org>
>For 
>additional commands, 
>e-mail: <ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: How can I make my logout page not secure?

Posted by Andrew Hill <an...@gridnode.com>.

Perhaps his login & logout are the same action both forwarding to the login
screen, and if already logged in, logging out along the way?

-----Original Message-----
From: Cliff Rowley [mailto:cliff@onsea.net]
Sent: Monday, September 23, 2002 18:54
To: 'Struts Users Mailing List'
Subject: RE: How can I make my logout page not secure?


Out of pure interest, why do you want logout unprotected?  People who
are logged out wont need to log out, will they?

>-----Original Message-----
>From: Michael [mailto:michael@idtect.com]
>Sent: 23 September 2002 09:40
>To: struts-user@jakarta.apache.org
>Subject: How can I make my logout page not secure?
>
>
>I'm using J2EE container managed security (in Tomcat).  I set
>up a rule to protect all *.do actions.  The problem is my
>logout.do is protected as well!
>
>In my web.xml I have:
>
>  <security-constraint>
>    <web-resource-collection>
>      <web-resource-name>All DO</web-resource-name>
>      <url-pattern>*.do</url-pattern>
>      <http-method>GET</http-method>
>      <http-method>POST</http-method>
>    </web-resource-collection>
>    <auth-constraint>
>      <role-name>*</role-name>
>    </auth-constraint>
>  </security-constraint>
>
>And then I use struts to set the security roles for each
>action. Although my logout action doesn't have any security
>roles, the above config in the web.xml requires a user to be
>authenticated before executing an action.
>
>What can I do to unprotect my logout action?
>
>
>
>--
>To unsubscribe, e-mail:
><ma...@jakarta.apache.org>
>For
>additional commands,
>e-mail: <ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

RE: How can I make my logout page not secure?

Posted by Cliff Rowley <cl...@onsea.net>.

Out of pure interest, why do you want logout unprotected?  People who
are logged out wont need to log out, will they?

>-----Original Message-----
>From: Michael [mailto:michael@idtect.com] 
>Sent: 23 September 2002 09:40
>To: struts-user@jakarta.apache.org
>Subject: How can I make my logout page not secure?
>
>
>I'm using J2EE container managed security (in Tomcat).  I set 
>up a rule to protect all *.do actions.  The problem is my 
>logout.do is protected as well! 
>
>In my web.xml I have:
>
>  <security-constraint>
>    <web-resource-collection>
>      <web-resource-name>All DO</web-resource-name>
>      <url-pattern>*.do</url-pattern>
>      <http-method>GET</http-method>
>      <http-method>POST</http-method>
>    </web-resource-collection>
>    <auth-constraint>
>      <role-name>*</role-name>
>    </auth-constraint>
>  </security-constraint>
>
>And then I use struts to set the security roles for each 
>action. Although my logout action doesn't have any security 
>roles, the above config in the web.xml requires a user to be 
>authenticated before executing an action.
>
>What can I do to unprotect my logout action?
>
>
>
>--
>To unsubscribe, e-mail:   
><ma...@jakarta.apache.org>
>For 
>additional commands, 
>e-mail: <ma...@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>