You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Andrew Shirk <sh...@ncsa.uiuc.edu> on 2003/10/07 22:45:39 UTC
Re: Container-Managed Authentication in web.xml
vs . Specifying Paths in the struts-config.xml
Logical paths work fine for me in web.xml (using tomcat 4.1.x):
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>
/do/login/edit
</form-login-page>
<form-error-page>
/do/login/fail
</form-error-page>
</form-login-config>
</login-config>
Andrew
At 03:11 PM 10/7/2003, you wrote:
>People answer questions without reading my original
>post. Therefore, I must re-type my original question
>again.
>
>Before I posted my question, I had configured the
>Tomcat JDBCRealm following the instructions at
>http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
>so that I can do security testing programmically, such
>as isUserInRole(), in my program.
>
>If I use form based authentication, I insert the
><login-config> and its sub-elements in my web.xml file
>(see below). As we know, the <form-login-page> and
><form-error-page> are required.
>
>My question is that the container-managed
>authentication (we provide login page and error page
>in the web.xml) does not seem to be consistent with
>what we usually do in struts; e.g. we state the
>logical name and path for each .jsp page in the
>struts-config.xml file.
>
>What is the Struts convention in dealing with user
>authentication? Should we specify the paths for the
>logon page and error page in the struts.config.xml or
>we should use the <form-login-page> and
><form-error-page> in the web.xml file?
>
>Thanks.
>--- "Craig R. McClanahan" <cr...@apache.org> wrote:
> > Caroline Jen wrote:
> >
> > >But, I do not want to use BASIC authentication. I
> > >have many different roles and hundreds of people
> > per
> > >role. Users' name, role, etc. are stored in a
> > >database.
> > >
> > How authentication is performed (BASIC, form-based,
> > DIGEST, or SSL
> > client certificates) and how users are stored
> > (database, directory
> > server, local XML file, ...) are two separate
> > questions. For most
> > servers , any combination is possible. With Tomcat,
> > for example, you
> > can configure JDBCRealm to point at your user and
> > role definitions in a
> > database, and then use those users with any of the
> > authentication
> > methods. For more information, see:
> >
> >
> >
>http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
> >
> > The choice between BASIC and form-based
> > authentication, then, can be
> > based on user interface related concerns, rather
> > than worrying about a
> > database.
> >
> > Craig
> >
> > >--- Matt Raible <MR...@RESORTQUEST.com> wrote:
> > >
> > >
> > >>A JDBCRealm can use BASIC authentication - it
> > >>doesn't require form-based.
> > >>Here's an example app that might help you out:
> > >>
> > >>
> > >>
> > >>
> >
> >http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample
> > >
> > >
> > >>HTH,
> > >>
> > >>Matt
> > >>
> > >>-----Original Message-----
> > >>From: Caroline Jen [mailto:jiapei_jen@yahoo.com]
> > >>Sent: Monday, October 06, 2003 4:45 PM
> > >>To: struts-user@jakarta.apache.org
> > >>Subject: Container-Managed Authentication
> > >><login-config> in web.xml vs.
> > >>Specifying Paths in the struts-config.xml
> > >>
> > >>
> > >>I use the Tomcat. I configured the Tomcat
> > JDBCRealm
> > >>so that I can use programmic security testing,
> > such
> > >>as
> > >>isUserInRole(), in my program.
> > >>
> > >>Because Tomcat JDBCRealm is form based, I inserted
> > >>the
> > >><login-config> and its sub-elements in my web.xml
> > >>file
> > >>(see below). As we know, the <form-login-page>
> > and
> > >><form-error-page> are required.
> > >>
> > >>My question is that the container-managed
> > >>authentication does not seem to be consistent with
> > >>what we usually do in struts; e.g. we state the
> > >>logical name and path for each .jsp page in the
> > >>struts-config.xml file.
> > >>
> > >>What is the Struts convention in dealing with user
> > >>authentication? Should we specify the paths for
> > the
> > >>logon page and error page in the struts.config.xml
> > >>or
> > >>we should use the <form-login-page> and
> > >><form-error-page> in the web.xml file?
> > >>
> > >>
> > >>
> > >>
> >
> >======================================================
> > >
> > >
> > >><security-constraint>
> > >> <web-resource-collection>
> > >>
> > >><web-resource-name>SalesInfo</web-resource-name>
> > >> <url-pattern>/SalesInfo/*</url-pattern>
> > >> <http-method>GET</http-method>
> > >> <http-method>POST</http-method>
> > >> </web-resource-collection>
> > >> <auth-constraint>
> > >> <role-name>manager</role-name>
> > >> </auth-constraint>
> > >> <user-data-constraint>
> > >>
> > >><transport-guarantee>NONE</transport-guarantee>
> > >> </user-data-constraint>
> > >></security-constraint>
> > >>
> > >><login-config>
> > >> <auth-method>FORM</auth-method>
> > >> <form-login-config>
> > >>
> > >>
> > >>
> > >>
> >
> ><form-login-page>/authentication/login.html</form-login-page>
> > >
> > >
> > >>
> > >>
> > >>
> > >>
> >
> ><form-error-page>/authentication/error.html</form-error-page>
> > >
> > >
> > >></form-login-config>
> > >>
> > >></login-config>
> > >>
> > >><security-role>
> > >> <role-name>manager</role-name>
> > >></security-role>
> > >>
> > >>
> > >>
> > >>
> > >>__________________________________
> > >>Do you Yahoo!?
> > >>The New Yahoo! Shopping - with improved product
> > >>search
> > >>http://shopping.yahoo.com
> > >>
> > >>
> > >>
> > >>
> >
> >---------------------------------------------------------------------
> > >
> > >
> > >>To unsubscribe, e-mail:
> > >>struts-user-unsubscribe@jakarta.apache.org
> > >>For additional commands, e-mail:
> > >>struts-user-help@jakarta.apache.org
> > >>
> > >>
> > >>
> > >>
> >
> >---------------------------------------------------------------------
> > >
> > >
> > >>To unsubscribe, e-mail:
> > >>struts-user-unsubscribe@jakarta.apache.org
> > >>For additional commands, e-mail:
> > >>struts-user-help@jakarta.apache.org
> > >>
> > >>
> > >>
> > >
> > >
> > >__________________________________
> > >Do you Yahoo!?
> > >The New Yahoo! Shopping - with improved product
> > search
> > >http://shopping.yahoo.com
> > >
> >
> >---------------------------------------------------------------------
> > >To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > >For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> > >
> > >
> >
> >
> >
> >
>---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> >
>
>
>__________________________________
>Do you Yahoo!?
>The New Yahoo! Shopping - with improved product search
>http://shopping.yahoo.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Container-Managed Authentication in web.xml vs . Specifying Paths in the struts-config.xml
Posted by Caroline Jen <ji...@yahoo.com>.
Thanks a lot, Andrew. I got the idea.
--- Andrew Shirk <sh...@ncsa.uiuc.edu> wrote:
> Logical paths work fine for me in web.xml (using
> tomcat 4.1.x):
>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>
> /do/login/edit
> </form-login-page>
> <form-error-page>
> /do/login/fail
> </form-error-page>
> </form-login-config>
> </login-config>
>
> Andrew
>
> At 03:11 PM 10/7/2003, you wrote:
> >People answer questions without reading my original
> >post. Therefore, I must re-type my original
> question
> >again.
> >
> >Before I posted my question, I had configured the
> >Tomcat JDBCRealm following the instructions at
>
>http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
> >so that I can do security testing programmically,
> such
> >as isUserInRole(), in my program.
> >
> >If I use form based authentication, I insert the
> ><login-config> and its sub-elements in my web.xml
> file
> >(see below). As we know, the <form-login-page> and
> ><form-error-page> are required.
> >
> >My question is that the container-managed
> >authentication (we provide login page and error
> page
> >in the web.xml) does not seem to be consistent with
> >what we usually do in struts; e.g. we state the
> >logical name and path for each .jsp page in the
> >struts-config.xml file.
> >
> >What is the Struts convention in dealing with user
> >authentication? Should we specify the paths for
> the
> >logon page and error page in the struts.config.xml
> or
> >we should use the <form-login-page> and
> ><form-error-page> in the web.xml file?
> >
> >Thanks.
> >--- "Craig R. McClanahan" <cr...@apache.org>
> wrote:
> > > Caroline Jen wrote:
> > >
> > > >But, I do not want to use BASIC authentication.
> I
> > > >have many different roles and hundreds of
> people
> > > per
> > > >role. Users' name, role, etc. are stored in a
> > > >database.
> > > >
> > > How authentication is performed (BASIC,
> form-based,
> > > DIGEST, or SSL
> > > client certificates) and how users are stored
> > > (database, directory
> > > server, local XML file, ...) are two separate
> > > questions. For most
> > > servers , any combination is possible. With
> Tomcat,
> > > for example, you
> > > can configure JDBCRealm to point at your user
> and
> > > role definitions in a
> > > database, and then use those users with any of
> the
> > > authentication
> > > methods. For more information, see:
> > >
> > >
> > >
>
>http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
> > >
> > > The choice between BASIC and form-based
> > > authentication, then, can be
> > > based on user interface related concerns, rather
> > > than worrying about a
> > > database.
> > >
> > > Craig
> > >
> > > >--- Matt Raible <MR...@RESORTQUEST.com>
> wrote:
> > > >
> > > >
> > > >>A JDBCRealm can use BASIC authentication - it
> > > >>doesn't require form-based.
> > > >>Here's an example app that might help you out:
> > > >>
> > > >>
> > > >>
> > > >>
> > >
> >
>
>http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample
> > > >
> > > >
> > > >>HTH,
> > > >>
> > > >>Matt
> > > >>
> > > >>-----Original Message-----
> > > >>From: Caroline Jen
> [mailto:jiapei_jen@yahoo.com]
> > > >>Sent: Monday, October 06, 2003 4:45 PM
> > > >>To: struts-user@jakarta.apache.org
> > > >>Subject: Container-Managed Authentication
> > > >><login-config> in web.xml vs.
> > > >>Specifying Paths in the struts-config.xml
> > > >>
> > > >>
> > > >>I use the Tomcat. I configured the Tomcat
> > > JDBCRealm
> > > >>so that I can use programmic security testing,
> > > such
> > > >>as
> > > >>isUserInRole(), in my program.
> > > >>
> > > >>Because Tomcat JDBCRealm is form based, I
> inserted
> > > >>the
> > > >><login-config> and its sub-elements in my
> web.xml
> > > >>file
> > > >>(see below). As we know, the
> <form-login-page>
> > > and
> > > >><form-error-page> are required.
> > > >>
> > > >>My question is that the container-managed
> > > >>authentication does not seem to be consistent
> with
> > > >>what we usually do in struts; e.g. we state
> the
> > > >>logical name and path for each .jsp page in
> the
> > > >>struts-config.xml file.
> > > >>
> > > >>What is the Struts convention in dealing with
> user
> > > >>authentication? Should we specify the paths
> for
> > > the
> > > >>logon page and error page in the
> struts.config.xml
> > > >>or
> > > >>we should use the <form-login-page> and
> > > >><form-error-page> in the web.xml file?
> > > >>
> > > >>
> > > >>
> > > >>
> > >
> >
>
>======================================================
> > > >
> > > >
> > > >><security-constraint>
> > > >> <web-resource-collection>
> > > >>
> > >
> >><web-resource-name>SalesInfo</web-resource-name>
> > > >> <url-pattern>/SalesInfo/*</url-pattern>
> > > >> <http-method>GET</http-method>
> > > >> <http-method>POST</http-method>
> > > >> </web-resource-collection>
> > > >> <auth-constraint>
> > > >> <role-name>manager</role-name>
> > > >> </auth-constraint>
> > > >> <user-data-constraint>
> > > >>
> > >
> >><transport-guarantee>NONE</transport-guarantee>
> > > >> </user-data-constraint>
> > > >></security-constraint>
> > > >>
> > > >><login-config>
> > > >> <auth-method>FORM</auth-method>
> > > >> <form-login-config>
> > > >>
> > > >>
> > > >>
> > > >>
> > >
> >
>
><form-login-page>/authentication/login.html</form-login-page>
> > > >
>
=== message truncated ===
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org