You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Steffen Gransow <sg...@quasa.de> on 2003/11/10 11:53:44 UTC
Servlet filter and Struts
Hi,
I want to implement a servlet filter to redirect users to login when
there is no valid session. Now I have a simple Struts application with a
welcome and a login page. As soon as I add the filter my 'application'
stops working. How do I implement a servlet filter in a correct way to
achieve what I want?
My web.xml looks like this:
<filter>
<filter-name>loginFilter</filter-name>
<filter-class>de.quasa.kvnet.util.LoginFilter</filter-class>
<init-param>
<param-name>loginPage</param-name>
<param-value>/jsp/login.jsp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>loginFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The init-param isn't used at the moment. Is the pattern correct? I would
access my app with a url like this: http://localhost/kvnet
Are there good resources for me to read?
Thanks in advance.
Steffen
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Servlet filter and Struts
Posted by Steffen Gransow <sg...@quasa.de>.
But that would be somewhat of an overkill, if all I need is securing
some pages/actions, wouldn't it? I now have a simple servlet filter that
redirects to login page if a simple object isn't to be found in session.
User passwords (that is, hashes) will later be retrieved from a
database. Is this approach wrong or not secure enough? The application
I'm developing only has users, that do all have the same rights. So I
don't need roles at all I think.
A little OT question: What about securing the connection from clients to
server? How is Struts ssl-ext involved in this? I don't know what it can
do. Is it not enough to let clients access the webapp using https? Is it
an added layer of security? I admit to be new to developing larger web
applications (especially struts) and therefore I do not know too much
about role-based or whatever security mechanisms. So please be gentle
with my questions. :)=
Regards,
Steffen
-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of Vic Cekvenich
Sent: Monday, November 10, 2003 2:06 PM
To: struts-user@jakarta.apache.org
Subject: Re: Servlet filter and Struts
Importance: High
This is the standard way to do what you want... in web-xml only, using
J2EE for container (such as tomcat JDBC realms) for security, a best
practice.
Once you know this part of JAAS, then you can extend, to put more things
about the user in session, and track that in you actions.
<!-- guest -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure</web-resource-name>
<url-pattern>/do/admin/*</url-pattern>
<url-pattern>/do/what/*</url-pattern>
<url-pattern>/do/not/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>VALID</role-name>
<role-name>ENHANCED</role-name>
<role-name>GUEST</role-name>
<role-name>EXPIRED</role-name>
<role-name>ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginBad.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>GUEST</role-name>
</security-role>
<security-role>
<role-name>VALID</role-name>
</security-role>
<security-role>
<role-name>ENHANCED</role-name>
</security-role>
<security-role>
<role-name>EXPIRED</role-name>
</security-role>
<security-role>
<role-name>ADMIN</role-name>
</security-role>
</web-app>
Steffen Gransow wrote:
> Sorry, wrong mailing list I guess. :\
>
> But what I would like to know is: If I do forward to a specific page
> in a servlet filter, what would the code look like?
>
> RequestDispatcher rd =
> context.getRequestDispatcher("/kvnet/login.jsp");
> rd.forward(request, response);
>
> Or should I use "/kvent/Login.do"? Or am I totally wrong?
>
> Thanks in advance.
>
> Steffen
>
>
> -----Original Message-----
> From: Steffen Gransow [mailto:sgransow@quasa.de]
> Sent: Monday, November 10, 2003 11:54 AM
> To: struts-user@jakarta.apache.org
> Subject: Servlet filter and Struts
>
> Hi,
>
> I want to implement a servlet filter to redirect users to login when
> there is no valid session. Now I have a simple Struts application with
> a welcome and a login page. As soon as I add the filter my
> 'application' stops working. How do I implement a servlet filter in a
> correct way to achieve what I want?
>
> My web.xml looks like this:
>
> <filter>
> <filter-name>loginFilter</filter-name>
>
> <filter-class>de.quasa.kvnet.util.LoginFilter</filter-class>
> <init-param>
> <param-name>loginPage</param-name>
> <param-value>/jsp/login.jsp</param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>loginFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> The init-param isn't used at the moment. Is the pattern correct? I
> would access my app with a url like this: http://localhost/kvnet
>
> Are there good resources for me to read?
>
> Thanks in advance.
>
> Steffen
--
Victor Cekvenich,
Struts Instructor
(215) 321-9146
Advanced Struts Training
<http://basebeans.com/do/cmsPg?content=TRAINING> Server Side Java
training with Rich UI, mentoring, designs, samples and project recovery
in North East. Simple best practice basic Portal, a Struts CMS,
Membership, Forums, Shopping and Credit processing,
<http://basicportal.com> software, ready to develop/customize; requires
a db to run.
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Servlet filter and Struts
Posted by Vic Cekvenich <ce...@baseBeans.com>.
This is the standard way to do what you want... in web-xml only, using
J2EE for container (such as tomcat JDBC realms) for security, a best
practice.
Once you know this part of JAAS, then you can extend, to put more things
about the user in session, and track that in you actions.
<!-- guest -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure</web-resource-name>
<url-pattern>/do/admin/*</url-pattern>
<url-pattern>/do/what/*</url-pattern>
<url-pattern>/do/not/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>VALID</role-name>
<role-name>ENHANCED</role-name>
<role-name>GUEST</role-name>
<role-name>EXPIRED</role-name>
<role-name>ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginBad.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>GUEST</role-name>
</security-role>
<security-role>
<role-name>VALID</role-name>
</security-role>
<security-role>
<role-name>ENHANCED</role-name>
</security-role>
<security-role>
<role-name>EXPIRED</role-name>
</security-role>
<security-role>
<role-name>ADMIN</role-name>
</security-role>
</web-app>
Steffen Gransow wrote:
> Sorry, wrong mailing list I guess. :\
>
> But what I would like to know is: If I do forward to a specific page in
> a servlet filter, what would the code look like?
>
> RequestDispatcher rd = context.getRequestDispatcher("/kvnet/login.jsp");
> rd.forward(request, response);
>
> Or should I use "/kvent/Login.do"? Or am I totally wrong?
>
> Thanks in advance.
>
> Steffen
>
>
> -----Original Message-----
> From: Steffen Gransow [mailto:sgransow@quasa.de]
> Sent: Monday, November 10, 2003 11:54 AM
> To: struts-user@jakarta.apache.org
> Subject: Servlet filter and Struts
>
> Hi,
>
> I want to implement a servlet filter to redirect users to login when
> there is no valid session. Now I have a simple Struts application with a
> welcome and a login page. As soon as I add the filter my 'application'
> stops working. How do I implement a servlet filter in a correct way to
> achieve what I want?
>
> My web.xml looks like this:
>
> <filter>
> <filter-name>loginFilter</filter-name>
>
> <filter-class>de.quasa.kvnet.util.LoginFilter</filter-class>
> <init-param>
> <param-name>loginPage</param-name>
> <param-value>/jsp/login.jsp</param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>loginFilter</filter-name>
> <url-pattern>/*</url-pattern>
> </filter-mapping>
>
> The init-param isn't used at the moment. Is the pattern correct? I would
> access my app with a url like this: http://localhost/kvnet
>
> Are there good resources for me to read?
>
> Thanks in advance.
>
> Steffen
--
Victor Cekvenich,
Struts Instructor
(215) 321-9146
Advanced Struts Training
<http://basebeans.com/do/cmsPg?content=TRAINING> Server Side Java
training with Rich UI, mentoring, designs, samples and project recovery
in North East.
Simple best practice basic Portal, a Struts CMS, Membership, Forums,
Shopping and Credit processing, <http://basicportal.com> software, ready
to develop/customize; requires a db to run.
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Servlet filter and Struts
Posted by Steffen Gransow <sg...@quasa.de>.
Sorry, wrong mailing list I guess. :\
But what I would like to know is: If I do forward to a specific page in
a servlet filter, what would the code look like?
RequestDispatcher rd = context.getRequestDispatcher("/kvnet/login.jsp");
rd.forward(request, response);
Or should I use "/kvent/Login.do"? Or am I totally wrong?
Thanks in advance.
Steffen
-----Original Message-----
From: Steffen Gransow [mailto:sgransow@quasa.de]
Sent: Monday, November 10, 2003 11:54 AM
To: struts-user@jakarta.apache.org
Subject: Servlet filter and Struts
Hi,
I want to implement a servlet filter to redirect users to login when
there is no valid session. Now I have a simple Struts application with a
welcome and a login page. As soon as I add the filter my 'application'
stops working. How do I implement a servlet filter in a correct way to
achieve what I want?
My web.xml looks like this:
<filter>
<filter-name>loginFilter</filter-name>
<filter-class>de.quasa.kvnet.util.LoginFilter</filter-class>
<init-param>
<param-name>loginPage</param-name>
<param-value>/jsp/login.jsp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>loginFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The init-param isn't used at the moment. Is the pattern correct? I would
access my app with a url like this: http://localhost/kvnet
Are there good resources for me to read?
Thanks in advance.
Steffen
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org