You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Caroline Jen <ji...@yahoo.com> on 2003/10/11 03:21:26 UTC
How To Work Out This Action Mapping?
Because there is such a statement (shown below) in my
signinForm.jsp:
<html:form action="j_security_check" method="post"
focus="j_username">
I put
<action
name="j_security_check"
path="/do/admin/Menu"/>
in my struts-config.xml file.
When I ran the application, I got:
[ServletException in:/article/content/signinForm.jsp]
Cannot retrieve mapping for action /j_security_check'
I know that I did not specify the action properly.
What is the correct way to do it?
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: How To Work Out This Action Mapping?
Posted by Caroline Jen <ji...@yahoo.com>.
Craig, thank you for your very strong support in the
past day or two to guide me through problems with the
container-managed authentication.
I looked at my web.xml file again and again. There is
nothing wrong with the order of the elements in that
file. And there is no stack trace in the log files
that talks about an XML parsing error.
I did some experiments. I found that as long as I
have the JDBCRealm in the
$TOMCAT_HOME/conf/server.xml, the Tomcat does not
accept <security-constraint> element in the
application's web.xml file. And the Tomcat gives me
"the required resouce /MyApplication is not availabel"
HTTP Status 404.
Have you seen this kind of problem before? I have
posted the question at the tomcat-user discussion
forum.
--Caroline
--- "Craig R. McClanahan" <cr...@apache.org> wrote:
> Caroline Jen wrote:
>
> >To answer your questions:
> >
> >1. The LOGON button links to a forward:
> > <html:link forward="logon">LOGON</html:link>
> >
> > and in my struts-config.xml, I have
> >
> > <forward
> > name="logon"
> > path="/do/admin/Menu"/>
> >
> >
> Well, that's the first problem ... security
> constraints are only applied
> on an original request from the client, not on a
> forward. You'll need
> to add redirect="true" to this, in order to get the
> client to request it.
>
> >2. the <security-constraint> in my web-xml is:
> >
> > <security-constraint>
> > <web-resource-collection>
> >
>
><web-resource-name>Administrative</web-resource-name>
> > <!-- The URLs to protect -->
> > <url-pattern>/do/admin/*</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <!-- The authorized users -->
> > <role-name>administrator</role-name>
> > <role-name>contributor</role-name>
> > </auth-constraint>
> > </security-constraint>
> >
> >By the way, there is another problem -- after the
> >insertion of the <security-constraint>, the
> >application totally stops functioning. No welcome
> >page displayed. In the browser, I have
> >
> >HTTP Status 404 -/PracticeVersion
> >description: The requested
> resource(/PracticeVersion)
> >is not availabe.
> >
> >and in the Tomcat log file, I have:
> >
> >LifecycleException: Container
> >StandardContext[/PracticeVersion] has not been
> started
> >
> >
> That means you did not obey the required element
> order in the web.xml
> file. You'll undoubtedly see a stack trace in the
> log files that talks
> about an XML parsing error.
>
> The correct order is defined by the DTD for web.xml
> files. Among other
> places, you'll find a copy of the DTDs for Servlet
> 2.2 and Servlet 2.3
> in the "lib" directory of your Struts distribution.
> Open either
> web_app_2_2.dtd or web_app_2_3.dtd (depending on
> which version you're
> using) and look for the line that starts <!ELEMENT
> webapp ...>. The
> list of element names in parentheses is the required
> order for elements
> in your own web.xml files.
>
> >
> >Thereafter, I deleted the <security-constraint>
> >element from the web.xml file. I have the welcome
> >page displayed. After I click on the LOGON button
> in
> >the welcome page, the welcome page remains in the
> >browser. The logon.jsp, which collects j-username,
> >j_password, does not get displayed and
> >http://localhost:8080/PracticeVersion/do/admin/Menu
> >shows in the address bar.
> >
> >
> Change your <forward> to add redirect="true" and put
> the security
> constraint in the correct order, and you should be
> good to go.
>
> >--Caroline
> >
> Craig
>
> >
> >--- "Craig R. McClanahan" <cr...@apache.org>
> wrote:
> >
> >
> >>Caroline Jen wrote:
> >>
> >>
> >>
> >>>Thank you very much for the detailed explanation.
>
> >>>Yet, I still have hard time to make my
> application
> >>>work -- I am "able" to display the welcome page
> (no
> >>>problem). And I have
> >>>
> >>>
>
>>http://localhost:8080/PracticeVersion/do/Menu;jsessionid=0A6E76A8F3E849BC8DAAC45BFB72F72E
> >>
> >>
> >>>in the address bar.
> >>>
> >>>However, after I click on the LOGON button in the
> >>>welcome page, the welcome page
> >>>
> >>>
> >>>
> >>Where does this LOGON button submit to? If it
> >>submits to
> >>"j_security_check", you are doing this wrong. It
> >>should submit to some
> >>resource that is protected by a security
> constraint.
> >>
> >>
> >>
> >>>remains in the browser.
> >>>The logon.jsp, which collects j-username,
> >>>
> >>>
> >>j_passwor,
> >>
> >>
> >>>does not get displayed and
>
>>>http://localhost:8080/PracticeVersion/do/admin/Menu
> >>>shows in the address bar.
> >>>
> >>>I do not know what went wrong. Could it be that
> >>>
> >>>
> >>the
> >>
> >>
> >>>JDBCRealm is not configured correctly?
> >>>
> >>>Because the LOGON button links to a forward:
> >>><html:link forward="logon">LOGON</html:link>
> >>>
> >>>and in my struts-config.xml, I have
> >>>
> >>> <forward
> >>> name="logon"
> >>> path="/do/admin/Menu"/>
> >>>
> >>>The /do/admin/Menu is my protected resources. I
> >>>
> >>>
> >>keep
> >>
> >>
> >>>it unchanged.
> >>>
> >>>
> >>>
> >>>
> >>It's only protected if it's listed in a
> >><security-constraint> in web.xml.
> >>
> >>
> >>
> >>>1. I configured the Tomcat JDBCRealm and prepared
> >>>
> >>>
> >>the
> >>
> >>
> >>>users table, user-roles table according the
> >>>instructions found at
> >>>
> >>>
>
>>http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
> >>
> >>
> >>>
> >>>
> >>>
> >>>
> >>Which Realm you use does not make any difference.
> >>
> >>
> >>
> >>>2. Because I want to use FORM based container
> >>>
> >>>
> >>managed
>
=== message truncated ===
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: How To Work Out This Action Mapping?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
Caroline Jen wrote:
>To answer your questions:
>
>1. The LOGON button links to a forward:
> <html:link forward="logon">LOGON</html:link>
>
> and in my struts-config.xml, I have
>
> <forward
> name="logon"
> path="/do/admin/Menu"/>
>
>
Well, that's the first problem ... security constraints are only applied
on an original request from the client, not on a forward. You'll need
to add redirect="true" to this, in order to get the client to request it.
>2. the <security-constraint> in my web-xml is:
>
> <security-constraint>
> <web-resource-collection>
>
><web-resource-name>Administrative</web-resource-name>
> <!-- The URLs to protect -->
> <url-pattern>/do/admin/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <!-- The authorized users -->
> <role-name>administrator</role-name>
> <role-name>contributor</role-name>
> </auth-constraint>
> </security-constraint>
>
>By the way, there is another problem -- after the
>insertion of the <security-constraint>, the
>application totally stops functioning. No welcome
>page displayed. In the browser, I have
>
>HTTP Status 404 -/PracticeVersion
>description: The requested resource(/PracticeVersion)
>is not availabe.
>
>and in the Tomcat log file, I have:
>
>LifecycleException: Container
>StandardContext[/PracticeVersion] has not been started
>
>
That means you did not obey the required element order in the web.xml
file. You'll undoubtedly see a stack trace in the log files that talks
about an XML parsing error.
The correct order is defined by the DTD for web.xml files. Among other
places, you'll find a copy of the DTDs for Servlet 2.2 and Servlet 2.3
in the "lib" directory of your Struts distribution. Open either
web_app_2_2.dtd or web_app_2_3.dtd (depending on which version you're
using) and look for the line that starts <!ELEMENT webapp ...>. The
list of element names in parentheses is the required order for elements
in your own web.xml files.
>
>Thereafter, I deleted the <security-constraint>
>element from the web.xml file. I have the welcome
>page displayed. After I click on the LOGON button in
>the welcome page, the welcome page remains in the
>browser. The logon.jsp, which collects j-username,
>j_password, does not get displayed and
>http://localhost:8080/PracticeVersion/do/admin/Menu
>shows in the address bar.
>
>
Change your <forward> to add redirect="true" and put the security
constraint in the correct order, and you should be good to go.
>--Caroline
>
Craig
>
>--- "Craig R. McClanahan" <cr...@apache.org> wrote:
>
>
>>Caroline Jen wrote:
>>
>>
>>
>>>Thank you very much for the detailed explanation.
>>>Yet, I still have hard time to make my application
>>>work -- I am "able" to display the welcome page (no
>>>problem). And I have
>>>
>>>
>>http://localhost:8080/PracticeVersion/do/Menu;jsessionid=0A6E76A8F3E849BC8DAAC45BFB72F72E
>>
>>
>>>in the address bar.
>>>
>>>However, after I click on the LOGON button in the
>>>welcome page, the welcome page
>>>
>>>
>>>
>>Where does this LOGON button submit to? If it
>>submits to
>>"j_security_check", you are doing this wrong. It
>>should submit to some
>>resource that is protected by a security constraint.
>>
>>
>>
>>>remains in the browser.
>>>The logon.jsp, which collects j-username,
>>>
>>>
>>j_passwor,
>>
>>
>>>does not get displayed and
>>>http://localhost:8080/PracticeVersion/do/admin/Menu
>>>shows in the address bar.
>>>
>>>I do not know what went wrong. Could it be that
>>>
>>>
>>the
>>
>>
>>>JDBCRealm is not configured correctly?
>>>
>>>Because the LOGON button links to a forward:
>>><html:link forward="logon">LOGON</html:link>
>>>
>>>and in my struts-config.xml, I have
>>>
>>> <forward
>>> name="logon"
>>> path="/do/admin/Menu"/>
>>>
>>>The /do/admin/Menu is my protected resources. I
>>>
>>>
>>keep
>>
>>
>>>it unchanged.
>>>
>>>
>>>
>>>
>>It's only protected if it's listed in a
>><security-constraint> in web.xml.
>>
>>
>>
>>>1. I configured the Tomcat JDBCRealm and prepared
>>>
>>>
>>the
>>
>>
>>>users table, user-roles table according the
>>>instructions found at
>>>
>>>
>>http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
>>
>>
>>>
>>>
>>>
>>>
>>Which Realm you use does not make any difference.
>>
>>
>>
>>>2. Because I want to use FORM based container
>>>
>>>
>>managed
>>
>>
>>>authentication, I inserted
>>>
>>><login-config>
>>><auth-method>FORM</auth-method>
>>> <form-login-config>
>>>
>>>
>>>
>><form-login-page>/signin/logon.jsp</form-login-page>
>>
>>
>>
>>>
>>>
>>>
>><form-error-page>/signin/logon.jsp?error=true</form-error-page>
>>
>>
>>> </form-login-config>
>>></login-config>
>>>
>>>in the web.xml file.
>>>
>>>
>>>
>>>
>>What does your <security-constraint> in web.xml look
>>like? This is the
>>critical ingredient.
>>
>>
>>
>>>3. I put logon.jsp in the ApplicationRoot/signin
>>>folder. Here is the code of the logon.jsp (I took
>>>
>>>
>>out
>>
>>
>>>all the Struts tags) and I know the code works well
>>>because I have tested it:
>>>
>>><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
>>>Transitional//EN">
>>><HTML>
>>><HEAD>
>>><TITLE>Container Managed Authentication</TITLE>
>>></HEAD>
>>><BODY>
>>><H1>Sign in, Please</H1>
>>><HR>
>>><FORM action="j_security_check" method="post"
>>>focus="j_username">
>>><TABLE border="0" width="50%" cellspacing=3
>>>cellpadding=2>
>>><TR>
>>><TH align="right">User Name:</TH>
>>><TD align="left"><INPUT TYPE=text NAME="j_username"
>>>SIZE="25"/></TD>
>>></TR>
>>><TR>
>>><TH align="right">Password:</TH>
>>><TD align="left"><INPUT TYPE=password
>>>NAME="j_password" SIZE="10"/></TD>
>>></TR>
>>><TR>
>>><TD align="right"><INPUT TYPE=submit
>>>VALUE="Submit"></TD>
>>><TD align="left"><INPUT TYPE=reset
>>>
>>>
>>VALUE="Reset"></TD>
>>
>>
>>></TR>
>>></TABLE>
>>></FORM>
>>></BODY>
>>>
>>>--Caroline
>>>
>>>
>>>
>>Craig
>>
>>
>>
>>>--- "Craig R. McClanahan" <cr...@apache.org>
>>>
>>>
>>wrote:
>>
>>
>>>
>>>
>>>
>>>
>>>>Caroline Jen wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Thank you for your reply. I am using container
>>>>>managed authentication.
>>>>>
>>>>>My problem is "how to go from j_security_check
>>>>>
>>>>>
>>back
>>
>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>to
>>>>
>>>>
>>>>
>>>>
>>>>>my Struts framework."
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>That turns out to not be your problem ... that is
>>>>the container's problem.
>>>>
>>>>The key thing to remember is that the user should
>>>>never access your
>>>>login page (whatever it's URL is) directly.
>>>>Instead, form-based login
>>>>is triggered the first time that an
>>>>
>>>>
>>unauthenticated
>>
>>
>>>>user requests a URL
>>>>that is protected by a security constraint. What
>>>>happens next goes like
>>>>this:
>>>>
>>>>(1) Unauthenticated user requests a protected
>>>>resource (*NOT* the login
>>>>page!)
>>>>
>>>>(2) Container remembers the protected resource
>>>>
>>>>
>>that
>>
>>
>>>>was requested
>>>> in a private variable.
>>>>
>>>>(3) Container displays the login page, which must
>>>>have a destination
>>>> of "j_security_check", and waits for the user
>>>>submit. For some
>>>>containers,
>>>> including Tomcat, this is the one-and-only
>>>>
>>>>
>>time
>>
>>
>>>>that submitting to
>>>> "j_security_check" will not return a 404.
>>>>
>>>>(4) User enters username and password, and presses
>>>>the submit button.
>>>>
>>>>(5) Container authenticates the username and
>>>>password combination.
>>>> If valid, container recalls the resource
>>>>
>>>>
>>saved
>>
>>
>>>>in (2) and displays
>>>>*that*
>>>> to the user in response to the login submit.
>>>>
>>>>If this doesn't make sense, temporarily switch
>>>>
>>>>
>>your
>>
>>
>>>>app to use BASIC
>>>>authentication instead, and walk through the
>>>>process. The user
>>>>experience will be identical except that the
>>>>
>>>>
>>"login
>>
>>
>>>>page" will be a
>>>>popup dialog box instead of your configured login
>>>>page. (Technically,
>>>>it's different in one other respect -- it's the
>>>>*browser* that does the
>>>>remembering in step (2) and the restoring in step
>>>>(5), but the user
>>>>
>>>>
>=== message truncated ===
>
>
>
>__________________________________
>Do you Yahoo!?
>The New Yahoo! Shopping - with improved product search
>http://shopping.yahoo.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: How To Work Out This Action Mapping?
Posted by Caroline Jen <ji...@yahoo.com>.
To answer your questions:
1. The LOGON button links to a forward:
<html:link forward="logon">LOGON</html:link>
and in my struts-config.xml, I have
<forward
name="logon"
path="/do/admin/Menu"/>
2. the <security-constraint> in my web-xml is:
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrative</web-resource-name>
<!-- The URLs to protect -->
<url-pattern>/do/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- The authorized users -->
<role-name>administrator</role-name>
<role-name>contributor</role-name>
</auth-constraint>
</security-constraint>
By the way, there is another problem -- after the
insertion of the <security-constraint>, the
application totally stops functioning. No welcome
page displayed. In the browser, I have
HTTP Status 404 -/PracticeVersion
description: The requested resource(/PracticeVersion)
is not availabe.
and in the Tomcat log file, I have:
LifecycleException: Container
StandardContext[/PracticeVersion] has not been started
Thereafter, I deleted the <security-constraint>
element from the web.xml file. I have the welcome
page displayed. After I click on the LOGON button in
the welcome page, the welcome page remains in the
browser. The logon.jsp, which collects j-username,
j_password, does not get displayed and
http://localhost:8080/PracticeVersion/do/admin/Menu
shows in the address bar.
--Caroline
--- "Craig R. McClanahan" <cr...@apache.org> wrote:
> Caroline Jen wrote:
>
> >Thank you very much for the detailed explanation.
> >Yet, I still have hard time to make my application
> >work -- I am "able" to display the welcome page (no
> >problem). And I have
>
>http://localhost:8080/PracticeVersion/do/Menu;jsessionid=0A6E76A8F3E849BC8DAAC45BFB72F72E
> >in the address bar.
> >
> >However, after I click on the LOGON button in the
> >welcome page, the welcome page
> >
> Where does this LOGON button submit to? If it
> submits to
> "j_security_check", you are doing this wrong. It
> should submit to some
> resource that is protected by a security constraint.
>
> > remains in the browser.
> > The logon.jsp, which collects j-username,
> j_passwor,
> >does not get displayed and
> >http://localhost:8080/PracticeVersion/do/admin/Menu
> >shows in the address bar.
> >
> >I do not know what went wrong. Could it be that
> the
> >JDBCRealm is not configured correctly?
> >
> >Because the LOGON button links to a forward:
> ><html:link forward="logon">LOGON</html:link>
> >
> >and in my struts-config.xml, I have
> >
> > <forward
> > name="logon"
> > path="/do/admin/Menu"/>
> >
> >The /do/admin/Menu is my protected resources. I
> keep
> >it unchanged.
> >
> >
> It's only protected if it's listed in a
> <security-constraint> in web.xml.
>
> >1. I configured the Tomcat JDBCRealm and prepared
> the
> >users table, user-roles table according the
> >instructions found at
>
>http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
> >
> >
> Which Realm you use does not make any difference.
>
> >2. Because I want to use FORM based container
> managed
> >authentication, I inserted
> >
> ><login-config>
> > <auth-method>FORM</auth-method>
> > <form-login-config>
> >
>
><form-login-page>/signin/logon.jsp</form-login-page>
>
> >
>
><form-error-page>/signin/logon.jsp?error=true</form-error-page>
> > </form-login-config>
> ></login-config>
> >
> >in the web.xml file.
> >
> >
> What does your <security-constraint> in web.xml look
> like? This is the
> critical ingredient.
>
> >3. I put logon.jsp in the ApplicationRoot/signin
> >folder. Here is the code of the logon.jsp (I took
> out
> >all the Struts tags) and I know the code works well
> >because I have tested it:
> >
> ><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
> >Transitional//EN">
> ><HTML>
> ><HEAD>
> ><TITLE>Container Managed Authentication</TITLE>
> ></HEAD>
> ><BODY>
> ><H1>Sign in, Please</H1>
> ><HR>
> ><FORM action="j_security_check" method="post"
> >focus="j_username">
> ><TABLE border="0" width="50%" cellspacing=3
> >cellpadding=2>
> ><TR>
> ><TH align="right">User Name:</TH>
> ><TD align="left"><INPUT TYPE=text NAME="j_username"
> >SIZE="25"/></TD>
> ></TR>
> ><TR>
> ><TH align="right">Password:</TH>
> ><TD align="left"><INPUT TYPE=password
> >NAME="j_password" SIZE="10"/></TD>
> ></TR>
> ><TR>
> ><TD align="right"><INPUT TYPE=submit
> >VALUE="Submit"></TD>
> ><TD align="left"><INPUT TYPE=reset
> VALUE="Reset"></TD>
> ></TR>
> ></TABLE>
> ></FORM>
> ></BODY>
> >
> >--Caroline
> >
> Craig
>
> >--- "Craig R. McClanahan" <cr...@apache.org>
> wrote:
> >
> >
> >>Caroline Jen wrote:
> >>
> >>
> >>
> >>>Thank you for your reply. I am using container
> >>>managed authentication.
> >>>
> >>>My problem is "how to go from j_security_check
> back
> >>>
> >>>
> >>to
> >>
> >>
> >>>my Struts framework."
> >>>
> >>>
> >>>
> >>>
> >>That turns out to not be your problem ... that is
> >>the container's problem.
> >>
> >>The key thing to remember is that the user should
> >>never access your
> >>login page (whatever it's URL is) directly.
> >>Instead, form-based login
> >>is triggered the first time that an
> unauthenticated
> >>user requests a URL
> >>that is protected by a security constraint. What
> >>happens next goes like
> >>this:
> >>
> >>(1) Unauthenticated user requests a protected
> >>resource (*NOT* the login
> >>page!)
> >>
> >>(2) Container remembers the protected resource
> that
> >>was requested
> >> in a private variable.
> >>
> >>(3) Container displays the login page, which must
> >>have a destination
> >> of "j_security_check", and waits for the user
> >>submit. For some
> >>containers,
> >> including Tomcat, this is the one-and-only
> time
> >>that submitting to
> >> "j_security_check" will not return a 404.
> >>
> >>(4) User enters username and password, and presses
> >>the submit button.
> >>
> >>(5) Container authenticates the username and
> >>password combination.
> >> If valid, container recalls the resource
> saved
> >>in (2) and displays
> >>*that*
> >> to the user in response to the login submit.
> >>
> >>If this doesn't make sense, temporarily switch
> your
> >>app to use BASIC
> >>authentication instead, and walk through the
> >>process. The user
> >>experience will be identical except that the
> "login
> >>page" will be a
> >>popup dialog box instead of your configured login
> >>page. (Technically,
> >>it's different in one other respect -- it's the
> >>*browser* that does the
> >>remembering in step (2) and the restoring in step
> >>(5), but the user
>
=== message truncated ===
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: How To Work Out This Action Mapping?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
Caroline Jen wrote:
>Thank you very much for the detailed explanation.
>Yet, I still have hard time to make my application
>work -- I am "able" to display the welcome page (no
>problem). And I have
>http://localhost:8080/PracticeVersion/do/Menu;jsessionid=0A6E76A8F3E849BC8DAAC45BFB72F72E
>in the address bar.
>
>However, after I click on the LOGON button in the
>welcome page, the welcome page
>
Where does this LOGON button submit to? If it submits to
"j_security_check", you are doing this wrong. It should submit to some
resource that is protected by a security constraint.
> remains in the browser.
> The logon.jsp, which collects j-username, j_passwor,
>does not get displayed and
>http://localhost:8080/PracticeVersion/do/admin/Menu
>shows in the address bar.
>
>I do not know what went wrong. Could it be that the
>JDBCRealm is not configured correctly?
>
>Because the LOGON button links to a forward:
><html:link forward="logon">LOGON</html:link>
>
>and in my struts-config.xml, I have
>
> <forward
> name="logon"
> path="/do/admin/Menu"/>
>
>The /do/admin/Menu is my protected resources. I keep
>it unchanged.
>
>
It's only protected if it's listed in a <security-constraint> in web.xml.
>1. I configured the Tomcat JDBCRealm and prepared the
>users table, user-roles table according the
>instructions found at
>http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
>
>
Which Realm you use does not make any difference.
>2. Because I want to use FORM based container managed
>authentication, I inserted
>
><login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
>
><form-login-page>/signin/logon.jsp</form-login-page>
>
><form-error-page>/signin/logon.jsp?error=true</form-error-page>
> </form-login-config>
></login-config>
>
>in the web.xml file.
>
>
What does your <security-constraint> in web.xml look like? This is the
critical ingredient.
>3. I put logon.jsp in the ApplicationRoot/signin
>folder. Here is the code of the logon.jsp (I took out
>all the Struts tags) and I know the code works well
>because I have tested it:
>
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
>Transitional//EN">
><HTML>
><HEAD>
><TITLE>Container Managed Authentication</TITLE>
></HEAD>
><BODY>
><H1>Sign in, Please</H1>
><HR>
><FORM action="j_security_check" method="post"
>focus="j_username">
><TABLE border="0" width="50%" cellspacing=3
>cellpadding=2>
><TR>
><TH align="right">User Name:</TH>
><TD align="left"><INPUT TYPE=text NAME="j_username"
>SIZE="25"/></TD>
></TR>
><TR>
><TH align="right">Password:</TH>
><TD align="left"><INPUT TYPE=password
>NAME="j_password" SIZE="10"/></TD>
></TR>
><TR>
><TD align="right"><INPUT TYPE=submit
>VALUE="Submit"></TD>
><TD align="left"><INPUT TYPE=reset VALUE="Reset"></TD>
></TR>
></TABLE>
></FORM>
></BODY>
>
>--Caroline
>
Craig
>--- "Craig R. McClanahan" <cr...@apache.org> wrote:
>
>
>>Caroline Jen wrote:
>>
>>
>>
>>>Thank you for your reply. I am using container
>>>managed authentication.
>>>
>>>My problem is "how to go from j_security_check back
>>>
>>>
>>to
>>
>>
>>>my Struts framework."
>>>
>>>
>>>
>>>
>>That turns out to not be your problem ... that is
>>the container's problem.
>>
>>The key thing to remember is that the user should
>>never access your
>>login page (whatever it's URL is) directly.
>>Instead, form-based login
>>is triggered the first time that an unauthenticated
>>user requests a URL
>>that is protected by a security constraint. What
>>happens next goes like
>>this:
>>
>>(1) Unauthenticated user requests a protected
>>resource (*NOT* the login
>>page!)
>>
>>(2) Container remembers the protected resource that
>>was requested
>> in a private variable.
>>
>>(3) Container displays the login page, which must
>>have a destination
>> of "j_security_check", and waits for the user
>>submit. For some
>>containers,
>> including Tomcat, this is the one-and-only time
>>that submitting to
>> "j_security_check" will not return a 404.
>>
>>(4) User enters username and password, and presses
>>the submit button.
>>
>>(5) Container authenticates the username and
>>password combination.
>> If valid, container recalls the resource saved
>>in (2) and displays
>>*that*
>> to the user in response to the login submit.
>>
>>If this doesn't make sense, temporarily switch your
>>app to use BASIC
>>authentication instead, and walk through the
>>process. The user
>>experience will be identical except that the "login
>>page" will be a
>>popup dialog box instead of your configured login
>>page. (Technically,
>>it's different in one other respect -- it's the
>>*browser* that does the
>>remembering in step (2) and the restoring in step
>>(5), but the user
>>doesn't know that).
>>
>>The important point is that, at no time, did anyone
>>ever submit a
>>request to the URL of the login page, because there
>>is no such thing
>>when using BASIC authentication. You should pretend
>>there is no such
>>thing when using form based login, also; think of
>>the login page as part
>>of the container, not part of your app.
>>
>>In answer to your original question, the simplest
>>thing to do on a login
>>page is just use the standard HTML form element
>>instead of the Struts
>><html:form> tag. Then, you can just say:
>>
>> <form method="POST" action="j_security_check">
>> ...
>> </form>
>>
>>Craig
>>
>>
>>
>>
>>
>>
>---------------------------------------------------------------------
>
>
>>To unsubscribe, e-mail:
>>struts-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail:
>>struts-user-help@jakarta.apache.org
>>
>>
>>
>
>
>__________________________________
>Do you Yahoo!?
>The New Yahoo! Shopping - with improved product search
>http://shopping.yahoo.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: How To Work Out This Action Mapping?
Posted by Caroline Jen <ji...@yahoo.com>.
Thank you very much for the detailed explanation.
Yet, I still have hard time to make my application
work -- I am "able" to display the welcome page (no
problem). And I have
http://localhost:8080/PracticeVersion/do/Menu;jsessionid=0A6E76A8F3E849BC8DAAC45BFB72F72E
in the address bar.
However, after I click on the LOGON button in the
welcome page, the welcome page remains in the browser.
The logon.jsp, which collects j-username, j_passwor,
does not get displayed and
http://localhost:8080/PracticeVersion/do/admin/Menu
shows in the address bar.
I do not know what went wrong. Could it be that the
JDBCRealm is not configured correctly?
Because the LOGON button links to a forward:
<html:link forward="logon">LOGON</html:link>
and in my struts-config.xml, I have
<forward
name="logon"
path="/do/admin/Menu"/>
The /do/admin/Menu is my protected resources. I keep
it unchanged.
1. I configured the Tomcat JDBCRealm and prepared the
users table, user-roles table according the
instructions found at
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
2. Because I want to use FORM based container managed
authentication, I inserted
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/signin/logon.jsp</form-login-page>
<form-error-page>/signin/logon.jsp?error=true</form-error-page>
</form-login-config>
</login-config>
in the web.xml file.
3. I put logon.jsp in the ApplicationRoot/signin
folder. Here is the code of the logon.jsp (I took out
all the Struts tags) and I know the code works well
because I have tested it:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
Transitional//EN">
<HTML>
<HEAD>
<TITLE>Container Managed Authentication</TITLE>
</HEAD>
<BODY>
<H1>Sign in, Please</H1>
<HR>
<FORM action="j_security_check" method="post"
focus="j_username">
<TABLE border="0" width="50%" cellspacing=3
cellpadding=2>
<TR>
<TH align="right">User Name:</TH>
<TD align="left"><INPUT TYPE=text NAME="j_username"
SIZE="25"/></TD>
</TR>
<TR>
<TH align="right">Password:</TH>
<TD align="left"><INPUT TYPE=password
NAME="j_password" SIZE="10"/></TD>
</TR>
<TR>
<TD align="right"><INPUT TYPE=submit
VALUE="Submit"></TD>
<TD align="left"><INPUT TYPE=reset VALUE="Reset"></TD>
</TR>
</TABLE>
</FORM>
</BODY>
--Caroline
--- "Craig R. McClanahan" <cr...@apache.org> wrote:
> Caroline Jen wrote:
>
> >Thank you for your reply. I am using container
> >managed authentication.
> >
> >My problem is "how to go from j_security_check back
> to
> >my Struts framework."
> >
> >
>
> That turns out to not be your problem ... that is
> the container's problem.
>
> The key thing to remember is that the user should
> never access your
> login page (whatever it's URL is) directly.
> Instead, form-based login
> is triggered the first time that an unauthenticated
> user requests a URL
> that is protected by a security constraint. What
> happens next goes like
> this:
>
> (1) Unauthenticated user requests a protected
> resource (*NOT* the login
> page!)
>
> (2) Container remembers the protected resource that
> was requested
> in a private variable.
>
> (3) Container displays the login page, which must
> have a destination
> of "j_security_check", and waits for the user
> submit. For some
> containers,
> including Tomcat, this is the one-and-only time
> that submitting to
> "j_security_check" will not return a 404.
>
> (4) User enters username and password, and presses
> the submit button.
>
> (5) Container authenticates the username and
> password combination.
> If valid, container recalls the resource saved
> in (2) and displays
> *that*
> to the user in response to the login submit.
>
> If this doesn't make sense, temporarily switch your
> app to use BASIC
> authentication instead, and walk through the
> process. The user
> experience will be identical except that the "login
> page" will be a
> popup dialog box instead of your configured login
> page. (Technically,
> it's different in one other respect -- it's the
> *browser* that does the
> remembering in step (2) and the restoring in step
> (5), but the user
> doesn't know that).
>
> The important point is that, at no time, did anyone
> ever submit a
> request to the URL of the login page, because there
> is no such thing
> when using BASIC authentication. You should pretend
> there is no such
> thing when using form based login, also; think of
> the login page as part
> of the container, not part of your app.
>
> In answer to your original question, the simplest
> thing to do on a login
> page is just use the standard HTML form element
> instead of the Struts
> <html:form> tag. Then, you can just say:
>
> <form method="POST" action="j_security_check">
> ...
> </form>
>
> Craig
>
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
>
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: How To Work Out This Action Mapping?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
Caroline Jen wrote:
>Thank you for your reply. I am using container
>managed authentication.
>
>My problem is "how to go from j_security_check back to
>my Struts framework."
>
>
That turns out to not be your problem ... that is the container's problem.
The key thing to remember is that the user should never access your
login page (whatever it's URL is) directly. Instead, form-based login
is triggered the first time that an unauthenticated user requests a URL
that is protected by a security constraint. What happens next goes like
this:
(1) Unauthenticated user requests a protected resource (*NOT* the login
page!)
(2) Container remembers the protected resource that was requested
in a private variable.
(3) Container displays the login page, which must have a destination
of "j_security_check", and waits for the user submit. For some
containers,
including Tomcat, this is the one-and-only time that submitting to
"j_security_check" will not return a 404.
(4) User enters username and password, and presses the submit button.
(5) Container authenticates the username and password combination.
If valid, container recalls the resource saved in (2) and displays
*that*
to the user in response to the login submit.
If this doesn't make sense, temporarily switch your app to use BASIC
authentication instead, and walk through the process. The user
experience will be identical except that the "login page" will be a
popup dialog box instead of your configured login page. (Technically,
it's different in one other respect -- it's the *browser* that does the
remembering in step (2) and the restoring in step (5), but the user
doesn't know that).
The important point is that, at no time, did anyone ever submit a
request to the URL of the login page, because there is no such thing
when using BASIC authentication. You should pretend there is no such
thing when using form based login, also; think of the login page as part
of the container, not part of your app.
In answer to your original question, the simplest thing to do on a login
page is just use the standard HTML form element instead of the Struts
<html:form> tag. Then, you can just say:
<form method="POST" action="j_security_check">
...
</form>
Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: How To Work Out This Action Mapping?
Posted by Caroline Jen <ji...@yahoo.com>.
Thank you for your reply. I am using container
managed authentication.
My problem is "how to go from j_security_check back to
my Struts framework."
I have my Tomcat JDBCRealm configured and users,
user_roles tables prepared in the database.
In my struts-config.xml file, I did this forward when
users click on the LOGON button:
<forward
name="logon"
path="/signin/logon.jsp"/>
and in my web.xml file, I have:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/signin/logon.jsp</form-login-page>
<form-error-page>/signin/logon.jsp?error=true</form-error-page>
</form-login-config>
</login-config>
The Tomcat server found the signinForm.jsp through the
/signin/logon.jsp without problem.
and my signinForm.jsp is correctly prepared:
<%@ taglib uri="/tags/struts-html" prefix="html" %>
<HTML>
<HEAD>
<TITLE>Container Managed Authentication</TITLE>
</HEAD>
<BODY>
<html:errors/>
<html:form action="j_security_check" method="post"
focus="j_username">
<TABLE border="0" width="100%">
<TR>
<TH align="right">User Name:</TH>
<TD align="left"><html:text property="j_username"
size="25"/></TD>
</TR>
<TR>
<TH align="right">Password:</TH>
<TD align="left"><html:password property="j_password"
size="10"/></TD>
</TR>
<TR>
<TD align="right"><html:submit/></TD>
<TD align="left"><html:reset/></TD>
</TR>
</TABLE>
</html:form>
</BODY>
</HTML>
--Caroline
--- Sasha Borodin <sa...@whoissasha.com> wrote:
> I think you may be doing two things wrong:
>
> 1. j_security_check is a special URL. If you have
> a security realm defined
> in your web application, and authentication method
> specified as FORM, then
> the container will automatically forward any
> requests for protected
> resources to a configurable login form. This login
> form collects the
> username and password, and posts to this special
> URL; the post to
> j_security_check gets intercepted by your servlet
> container, which performs
> Container Managed Authentication - it looks for the
> j_username and
> j_password, authenticates the combination, and
> forwards to the originally
> requested resource, or to a configurable error page
> if the authentication
> fails.
>
> All this to say that you can not map an action to
> j_security_check.
> Furthermore, you can't even aggressively
> authenticate using CMA (Container
> Managed Authentication) - if you go directly to your
> login page (without
> being forwarded there by you container), and try to
> submit the form, you'll
> get an error.
>
> 2. If you were trying to map a legitimate URL, then
> you'd have your
> <action> properties wrong.
>
> <action>
> path="/someLegitimatePath"
>
> type="your.action.class"
>
> name="name of a previously defined ActionForm if
> needed for this action"
> </action>
>
> HTH,
>
> -Sasha
>
>
> On 10/10/03 20:21, "Caroline Jen"
> <ji...@yahoo.com> wrote:
>
> > Because there is such a statement (shown below) in
> my
> > signinForm.jsp:
> >
> > <html:form action="j_security_check" method="post"
> > focus="j_username">
> >
> > I put
> >
> > <action
> > name="j_security_check"
> > path="/do/admin/Menu"/>
> >
> > in my struts-config.xml file.
> >
> > When I ran the application, I got:
> >
> > [ServletException
> in:/article/content/signinForm.jsp]
> > Cannot retrieve mapping for action
> /j_security_check'
> >
> > I know that I did not specify the action properly.
> > What is the correct way to do it?
> >
> > __________________________________
> > Do you Yahoo!?
> > The New Yahoo! Shopping - with improved product
> search
> > http://shopping.yahoo.com
> >
> >
>
---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
>
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: How To Work Out This Action Mapping?
Posted by Sasha Borodin <sa...@whoissasha.com>.
I think you may be doing two things wrong:
1. j_security_check is a special URL. If you have a security realm defined
in your web application, and authentication method specified as FORM, then
the container will automatically forward any requests for protected
resources to a configurable login form. This login form collects the
username and password, and posts to this special URL; the post to
j_security_check gets intercepted by your servlet container, which performs
Container Managed Authentication - it looks for the j_username and
j_password, authenticates the combination, and forwards to the originally
requested resource, or to a configurable error page if the authentication
fails.
All this to say that you can not map an action to j_security_check.
Furthermore, you can't even aggressively authenticate using CMA (Container
Managed Authentication) - if you go directly to your login page (without
being forwarded there by you container), and try to submit the form, you'll
get an error.
2. If you were trying to map a legitimate URL, then you'd have your
<action> properties wrong.
<action>
path="/someLegitimatePath"
type="your.action.class"
name="name of a previously defined ActionForm if needed for this action"
</action>
HTH,
-Sasha
On 10/10/03 20:21, "Caroline Jen" <ji...@yahoo.com> wrote:
> Because there is such a statement (shown below) in my
> signinForm.jsp:
>
> <html:form action="j_security_check" method="post"
> focus="j_username">
>
> I put
>
> <action
> name="j_security_check"
> path="/do/admin/Menu"/>
>
> in my struts-config.xml file.
>
> When I ran the application, I got:
>
> [ServletException in:/article/content/signinForm.jsp]
> Cannot retrieve mapping for action /j_security_check'
>
> I know that I did not specify the action properly.
> What is the correct way to do it?
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org