You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by struts Dude <sc...@slingshot.co.nz> on 2004/08/29 07:36:53 UTC
SecurityFilter Question?
Hi
Can someone give me a few pointers on using SecurityFilter
with Struts? This can save me potentially hrs of debugging.
My securityfilter-config.xml is:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE securityfilter-config PUBLIC
"-//SecurityFilter.org//DTD Security Filter Configuration 1.1//EN"
"http://www.securityfilter.org/dtd/securityfilter-config_1_1.dtd">
<securityfilter-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Page</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>User Page</web-resource-name>
<url-pattern>/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/WEB-INF/pages/Login.jsp</form-login-page>
<form-error-page>/WEB-INF/pages/error.jsp</form-error-page>
<form-default-page>/index.jsp</form-default-page>
</form-login-config>
</login-config>
<realm className="app.IbatisSecurityRealm">
<realm-param name="exampleProperty" value="it works!" />
</realm>
</securityfilter-config>
Now my struts-config.xml has something like
<action path="/LogAction"
type="app.LogAction"
name="logonForm"
scope="request"
input="/WEB-INF/pages/Logon.jsp"
parameter="action"
validate="false">
<forward
name="success"
path="/WEB-INF/pages/Welcome.jsp"/>
</action>
And the path of every action in struts-config.xml will be
prefixed with either /admin/ or /user/ except for
those actions that forwards to Home page, login and
free info JSP page.
Now Login.jsp has a submit button that will invoke LogAction,
which will put a User bean in Session once user is validated.
** Now according to document on SecurityFilter, SecurityFilter
supports "unsolicited" login requests => when I press submit
button on Login.jsp, is authentication by SecurityFilter
class called first or authentication by LogAction called
first ???
** Can I use Struts html tags in Logon.jsp to work with
SecurityFilter? E.g.
<html:form action="/LogAction" focus="j_username">
** If authentication by SecurityFilter is processed first,
then I don't really need to authenticate user in LogAction
class but simply put User bean in Session, right ???
Since SecurityFilter will do the authentication for me
and direct page to error.jsp if validation failed.
** If validation fails, can I still queue error message
(ActionError) in LogAction so that error.jsp will
display it?
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: SecurityFilter Question?
Posted by struts Dude <sc...@slingshot.co.nz>.
----- Original Message -----
From: "struts Dude" <sc...@slingshot.co.nz>
To: "Struts Users Mailing List" <us...@struts.apache.org>
Sent: Sunday, August 29, 2004 5:36 PM
Subject: SecurityFilter Question?
> Hi
>
> Can someone give me a few pointers on using SecurityFilter
> with Struts? This can save me potentially hrs of debugging.
>
> My securityfilter-config.xml is:
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
>
> <!DOCTYPE securityfilter-config PUBLIC
> "-//SecurityFilter.org//DTD Security Filter Configuration 1.1//EN"
> "http://www.securityfilter.org/dtd/securityfilter-config_1_1.dtd">
>
> <securityfilter-config>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Page</web-resource-name>
> <url-pattern>/admin/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>User Page</web-resource-name>
> <url-pattern>/user/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>/WEB-INF/pages/Login.jsp</form-login-page>
> <form-error-page>/WEB-INF/pages/error.jsp</form-error-page>
> <form-default-page>/index.jsp</form-default-page>
> </form-login-config>
> </login-config>
>
> <realm className="app.IbatisSecurityRealm">
> <realm-param name="exampleProperty" value="it works!" />
> </realm>
>
> </securityfilter-config>
>
> Now my struts-config.xml has something like
>
> <action path="/LogAction"
> type="app.LogAction"
> name="logonForm"
> scope="request"
> input="/WEB-INF/pages/Logon.jsp"
> parameter="action"
> validate="false">
> <forward
> name="success"
> path="/WEB-INF/pages/Welcome.jsp"/>
> </action>
>
>
> And the path of every action in struts-config.xml will be
> prefixed with either /admin/ or /user/ except for
> those actions that forwards to Home page, login and
> free info JSP page.
>
> Now Login.jsp has a submit button that will invoke LogAction,
> which will put a User bean in Session once user is validated.
>
Just found out I have to use action="j_security_check" in <form ...>
tag. So how do I make sure user bean is added to Session within
LogAction once authentication by SecurityFilter is success???
I would like to invoke SecurityFilter authentication before user
hits a restricted page and is redirected to login page , i.e. say have
login form in front page or every non-restricted page.
>
> Thanks
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: SecurityFilter Question?
Posted by struts Dude <sc...@slingshot.co.nz>.
Wow that was quick response, thanks Jason.
:D
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: SecurityFilter Question?
Posted by Jason Lea <ja...@kumachan.net.nz>.
struts Dude wrote:
>Thanks Jason.
>
>Problem solved. Wooohooo.
>
>Correct me if I am wrong, it looks like
>I am automatically log out after login if
>I do nothing after some time. How
>do I make session last for duration of
>browser life or till user log out explicitly?
>
>
Yes, the user principal lives in the session. When the session expires
or is invalidated you are logged out. This makes logout buttons easy
too, just do session.invalidate() and the user can log in as a new user.
You can manually set the session timeout on the session object (I
believe), or in your web.xml you can use
<session-config>
<session-timeout>30</session-timeout>
</session-config>
with the number of minutes you want the session to live.
>Also found out that I don't need a separate login
>form for each different user. 1 login form for all
>user is allowed. duuhh me.
>
>
yep
>I don't quiet see the need to define
>restricted URL in securityfilter-config.xml as
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Page</web-resource-name>
> <url-pattern>/admin/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
>if I simply add roles attribute in action mapping of struts-config.xml.
>All my restricted action mapping has user roles attribute rather than
>using path attribute e.g. path="admin/bla". I hope that is not bad practice.
>
>
Using the security constraint means you can also protect static html
pages too. If you have /admin/abc.html or /admin/abc.jpg these would
need the user to be logged in as admin to view them. What ever is
easiest for you. It can be nice to know that any thing in /admin/*
needs a role of admin to access it, where as if you forget to add
role="admin" to an action you might not notice.
>Also, it looks there is no way to use client/server side struts validation
>to
>convey error message on login form. E.g. password is incorrect.
>
>
Yes, sort of. If your securityfilter-config.xml does this:
<form-error-page>/LoginError.do</form-error-page>
Then the LoginError action can put the error messages into the
ActionErrors like any action does, then display the login.jsp.
login.jsp can display the error messages as you would normally. You
won't know whether the password or username were incorrect. So a
generic try again message should be ok.
>
>----- Original Message -----
>From: "Jason Lea" <ja...@kumachan.net.nz>
>To: "Struts Users Mailing List" <us...@struts.apache.org>
>Sent: Tuesday, August 31, 2004 1:06 PM
>Subject: Re: SecurityFilter Question?
>
>
>
>
>>struts Dude wrote:
>>
>>
>>
>>>>You don't have to use a filter though, you could make a base action that
>>>>does puts the bean into session and have all your actions sub-class that
>>>>one.
>>>>
>>>>
>>>>
>>>>
>>>Using action to put bean in Session after SecurityFilter, how is that
>>>possible when after authentication by SecurityFilter, u taken right
>>>back to /user/abc.do where u 1st request it and doesn't pass
>>>through to action attribute as specified in action-mapping of
>>>struts-config.xml?
>>>
>>>
>>>
>>>
>>you create a base class like
>>
>>public class BaseAction extends Action {
>> public ActionForward execute(...){
>> ... do stuff that every action needs, eg checking for/putting
>>user bean in session
>> }
>>}
>>
>>Then your other actions do something like this
>>
>>public class MyFirstAction extends BaseAction {
>> public ActionForward execute(...){
>> super.execute(...);
>>
>> ... do whatever your action does
>> }
>>}
>>
>>This way, the piece of code that you want every action to execute is in
>>one place.
>>
>>
>>
>>>I have tried to use action, after authentication, I am indeed taken
>>>back to the page /admin/logon.do or /user/logon.do and got
>>>error message in browser:
>>>
>>>HTTP Status 400 - Invalid path /admin/Logon was requested
>>>
>>>message Invalid path /admin/Logon was requested
>>>
>>>description The request sent by the client was syntactically incorrect
>>>(Invalid path /admin/Logon was requested).
>>>
>>>
>>>
>>>
>>Is that the url you tried to access or was it something in the
>>securityfilter-config.xml? Whatever it is, it's missing the .do at the
>>end eg /admin/Logon.do.
>>But if it is in the securityfilter-config.xml as a login form then it is
>>wrong, as only administrators can access /admin/*
>>
>>
>>
>>>-------------
>>>
>>>My action mapping is struts-conf.xml
>>>
>>>Both
>>>
>>><action
>>> path="/admin/Logon.do"
>>> type="org.apache.struts.actions.ForwardAction"
>>> parameter="LogAction.do?action=logon"/>
>>>
>>> <action
>>> path="/user/Logon.do"
>>> type="org.apache.struts.actions.ForwardAction"
>>> parameter="LogAction.do?action=logon"/>
>>>
>>><!--
>>>My LogAction extends DispatchAction and will try
>>>to put User bean in session. -->
>>>
>>>or
>>>
>>> <action
>>> path="/admin/Logon.do"
>>> type="org.apache.struts.actions.ForwardAction"
>>> parameter="Welcome.do"/>
>>> <action
>>> path="/user/Logon.do"
>>> type="org.apache.struts.actions.ForwardAction"
>>> parameter="Welcome.do"/>
>>>
>>>won't work.
>>>
>>>-----------------------
>>>
>>>BTW, how wud u use html:form to display
>>>login fields?
>>>
>>>I can't get struts tag to work with login fields
>>>except for using things like:
>>>
>>><form action="j_security_check" method="POST">
>>>Username: <input type="text" name="j_username"><p>
>>>Password: <input type="password" name="j_password"><p>
>>><input type="Submit">
>>>
>>></form>
>>>
>>>
>>>
>>>
>>Don't know about html:form - i use something like you have done.
>>
>>
>>
>>>------------------
>>>
>>>Ok, using filter (as u said) after SecurityFilter wud solve this simply
>>>
>>>
>but
>
>
>>>I like to stick with pure Struts approach if possible.
>>>
>>>
>>>
>>>
>>Struts is sitll happy to use filters - it was created before filters
>>existed. It really comes down to what you are happy with and what level
>>of container you want your app to work with.
>>
>>
>>
>>>Thanks
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Jason Lea
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>>For additional commands, e-mail: user-help@struts.apache.org
>>>
>>>
>>>
>>>
>>>
>>>
>>--
>>Jason Lea
>>
>>
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
--
Jason Lea
Re: SecurityFilter Question?
Posted by struts Dude <sc...@slingshot.co.nz>.
Thanks Jason.
Problem solved. Wooohooo.
Correct me if I am wrong, it looks like
I am automatically log out after login if
I do nothing after some time. How
do I make session last for duration of
browser life or till user log out explicitly?
Also found out that I don't need a separate login
form for each different user. 1 login form for all
user is allowed. duuhh me.
I don't quiet see the need to define
restricted URL in securityfilter-config.xml as
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Page</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
if I simply add roles attribute in action mapping of struts-config.xml.
All my restricted action mapping has user roles attribute rather than
using path attribute e.g. path="admin/bla". I hope that is not bad practice.
Also, it looks there is no way to use client/server side struts validation
to
convey error message on login form. E.g. password is incorrect.
----- Original Message -----
From: "Jason Lea" <ja...@kumachan.net.nz>
To: "Struts Users Mailing List" <us...@struts.apache.org>
Sent: Tuesday, August 31, 2004 1:06 PM
Subject: Re: SecurityFilter Question?
> struts Dude wrote:
>
> >>You don't have to use a filter though, you could make a base action that
> >>does puts the bean into session and have all your actions sub-class that
> >>one.
> >>
> >>
> >
> >Using action to put bean in Session after SecurityFilter, how is that
> >possible when after authentication by SecurityFilter, u taken right
> >back to /user/abc.do where u 1st request it and doesn't pass
> >through to action attribute as specified in action-mapping of
> >struts-config.xml?
> >
> >
> you create a base class like
>
> public class BaseAction extends Action {
> public ActionForward execute(...){
> ... do stuff that every action needs, eg checking for/putting
> user bean in session
> }
> }
>
> Then your other actions do something like this
>
> public class MyFirstAction extends BaseAction {
> public ActionForward execute(...){
> super.execute(...);
>
> ... do whatever your action does
> }
> }
>
> This way, the piece of code that you want every action to execute is in
> one place.
>
> >I have tried to use action, after authentication, I am indeed taken
> >back to the page /admin/logon.do or /user/logon.do and got
> >error message in browser:
> >
> >HTTP Status 400 - Invalid path /admin/Logon was requested
> >
> >message Invalid path /admin/Logon was requested
> >
> >description The request sent by the client was syntactically incorrect
> >(Invalid path /admin/Logon was requested).
> >
> >
> Is that the url you tried to access or was it something in the
> securityfilter-config.xml? Whatever it is, it's missing the .do at the
> end eg /admin/Logon.do.
> But if it is in the securityfilter-config.xml as a login form then it is
> wrong, as only administrators can access /admin/*
>
> >-------------
> >
> >My action mapping is struts-conf.xml
> >
> >Both
> >
> > <action
> > path="/admin/Logon.do"
> > type="org.apache.struts.actions.ForwardAction"
> > parameter="LogAction.do?action=logon"/>
> >
> > <action
> > path="/user/Logon.do"
> > type="org.apache.struts.actions.ForwardAction"
> > parameter="LogAction.do?action=logon"/>
> >
> ><!--
> >My LogAction extends DispatchAction and will try
> >to put User bean in session. -->
> >
> >or
> >
> > <action
> > path="/admin/Logon.do"
> > type="org.apache.struts.actions.ForwardAction"
> > parameter="Welcome.do"/>
> > <action
> > path="/user/Logon.do"
> > type="org.apache.struts.actions.ForwardAction"
> > parameter="Welcome.do"/>
> >
> >won't work.
> >
> >-----------------------
> >
> >BTW, how wud u use html:form to display
> >login fields?
> >
> >I can't get struts tag to work with login fields
> >except for using things like:
> >
> ><form action="j_security_check" method="POST">
> > Username: <input type="text" name="j_username"><p>
> > Password: <input type="password" name="j_password"><p>
> > <input type="Submit">
> >
> ></form>
> >
> >
> Don't know about html:form - i use something like you have done.
>
> >------------------
> >
> >Ok, using filter (as u said) after SecurityFilter wud solve this simply
but
> >I like to stick with pure Struts approach if possible.
> >
> >
> Struts is sitll happy to use filters - it was created before filters
> existed. It really comes down to what you are happy with and what level
> of container you want your app to work with.
>
> >Thanks
> >
> >
> >
> >
> >>Jason Lea
> >>
> >>
> >>
> >>
> >>
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >For additional commands, e-mail: user-help@struts.apache.org
> >
> >
> >
> >
>
>
> --
> Jason Lea
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: SecurityFilter Question?
Posted by Jason Lea <ja...@kumachan.net.nz>.
struts Dude wrote:
>>You don't have to use a filter though, you could make a base action that
>>does puts the bean into session and have all your actions sub-class that
>>one.
>>
>>
>
>Using action to put bean in Session after SecurityFilter, how is that
>possible when after authentication by SecurityFilter, u taken right
>back to /user/abc.do where u 1st request it and doesn't pass
>through to action attribute as specified in action-mapping of
>struts-config.xml?
>
>
you create a base class like
public class BaseAction extends Action {
public ActionForward execute(...){
... do stuff that every action needs, eg checking for/putting
user bean in session
}
}
Then your other actions do something like this
public class MyFirstAction extends BaseAction {
public ActionForward execute(...){
super.execute(...);
... do whatever your action does
}
}
This way, the piece of code that you want every action to execute is in
one place.
>I have tried to use action, after authentication, I am indeed taken
>back to the page /admin/logon.do or /user/logon.do and got
>error message in browser:
>
>HTTP Status 400 - Invalid path /admin/Logon was requested
>
>message Invalid path /admin/Logon was requested
>
>description The request sent by the client was syntactically incorrect
>(Invalid path /admin/Logon was requested).
>
>
Is that the url you tried to access or was it something in the
securityfilter-config.xml? Whatever it is, it's missing the .do at the
end eg /admin/Logon.do.
But if it is in the securityfilter-config.xml as a login form then it is
wrong, as only administrators can access /admin/*
>-------------
>
>My action mapping is struts-conf.xml
>
>Both
>
> <action
> path="/admin/Logon.do"
> type="org.apache.struts.actions.ForwardAction"
> parameter="LogAction.do?action=logon"/>
>
> <action
> path="/user/Logon.do"
> type="org.apache.struts.actions.ForwardAction"
> parameter="LogAction.do?action=logon"/>
>
><!--
>My LogAction extends DispatchAction and will try
>to put User bean in session. -->
>
>or
>
> <action
> path="/admin/Logon.do"
> type="org.apache.struts.actions.ForwardAction"
> parameter="Welcome.do"/>
> <action
> path="/user/Logon.do"
> type="org.apache.struts.actions.ForwardAction"
> parameter="Welcome.do"/>
>
>won't work.
>
>-----------------------
>
>BTW, how wud u use html:form to display
>login fields?
>
>I can't get struts tag to work with login fields
>except for using things like:
>
><form action="j_security_check" method="POST">
> Username: <input type="text" name="j_username"><p>
> Password: <input type="password" name="j_password"><p>
> <input type="Submit">
>
></form>
>
>
Don't know about html:form - i use something like you have done.
>------------------
>
>Ok, using filter (as u said) after SecurityFilter wud solve this simply but
>I like to stick with pure Struts approach if possible.
>
>
Struts is sitll happy to use filters - it was created before filters
existed. It really comes down to what you are happy with and what level
of container you want your app to work with.
>Thanks
>
>
>
>
>>Jason Lea
>>
>>
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
--
Jason Lea
Re: SecurityFilter Question?
Posted by struts Dude <sc...@slingshot.co.nz>.
Thanks robert. Greatly appreciated.
Now has anyone tried to put login form on every page of
site if user hasn't login with STRUTS? Say, put a small login
form on left hand column menu/navigational bar.
Is there anything I need to look out for?
----- Original Message -----
From: "Robert Taylor" <rt...@mulework.com>
To: "Struts Users Mailing List" <us...@struts.apache.org>
Sent: Tuesday, August 31, 2004 11:16 PM
Subject: RE: SecurityFilter Question?
> I haven't been following this thread too closely but
> I know its been some what long so if this solution has
> already been proposed, I apologize in advance.
>
> We use SecurityFilter and an additional filter which
> checks for the Principal in the request. If the Principal exists,
> then we can be assured that the user has successfully logged in; at
> which point we check to see if the required information is in the
> session. If not, then we persist the required information into the
session.
> If so, then we do nothing. In either case we allow the filter chain to
proceed.
> It has worked quite nicely so far.
>
>
> Principal principal = req.getUserPrincipal();
>
> if (principal != null) {
>
>
> if (req.getSession().getAttribute("requiredInformation") == null) {
>
> // do other login stuff here
>
> }
>
> }
>
> chain.doFilter(req, res);
>
> hth,
>
> robert
>
> > -----Original Message-----
> > From: struts Dude [mailto:scea@slingshot.co.nz]
> > Sent: Monday, August 30, 2004 8:19 PM
> > To: Struts Users Mailing List
> > Subject: Re: SecurityFilter Question?
> >
> >
> >
> > ----- Original Message -----
> > From: "Jason Lea" <ja...@kumachan.net.nz>
> > To: "Struts Users Mailing List" <us...@struts.apache.org>
> > Sent: Monday, August 30, 2004 6:07 PM
> > Subject: Re: SecurityFilter Question?
> >
> > > >
> > > >Can't u do this using an Action? Say, accessing /admin/LogAction.do
> > > >invokes SecurityFilter, after authentication by SecurityFilter is
passed,
> > > >go directly to LogAction as below
> > > >
> > > >
> > >
> > > The problem comes if the user bookmarks a url like /user/abc.do,
starts
> > > up their browser and goes directly to the protected URL. The security
> > > filter will take them to the login form, they submit username/password
> > > and seucirty filter authenticates them. Once they are authenticated
> > > they are redirected back to /users/abc.do - they don't pass through
> > > LogAction at all. So I normally have a filter that makes sure the
bean
> > > is in session from where ever they are called.
> > >
> >
> >
> > > You don't have to use a filter though, you could make a base action
that
> > > does puts the bean into session and have all your actions sub-class
that
> > > one.
> >
> > Using action to put bean in Session after SecurityFilter, how is that
> > possible when after authentication by SecurityFilter, u taken right
> > back to /user/abc.do where u 1st request it and doesn't pass
> > through to action attribute as specified in action-mapping of
> > struts-config.xml?
> >
> > I have tried to use action, after authentication, I am indeed taken
> > back to the page /admin/logon.do or /user/logon.do and got
> > error message in browser:
> >
> > HTTP Status 400 - Invalid path /admin/Logon was requested
> >
> > message Invalid path /admin/Logon was requested
> >
> > description The request sent by the client was syntactically incorrect
> > (Invalid path /admin/Logon was requested).
> >
> > -------------
> >
> > My action mapping is struts-conf.xml
> >
> > Both
> >
> > <action
> > path="/admin/Logon.do"
> > type="org.apache.struts.actions.ForwardAction"
> > parameter="LogAction.do?action=logon"/>
> >
> > <action
> > path="/user/Logon.do"
> > type="org.apache.struts.actions.ForwardAction"
> > parameter="LogAction.do?action=logon"/>
> >
> > <!--
> > My LogAction extends DispatchAction and will try
> > to put User bean in session. -->
> >
> > or
> >
> > <action
> > path="/admin/Logon.do"
> > type="org.apache.struts.actions.ForwardAction"
> > parameter="Welcome.do"/>
> > <action
> > path="/user/Logon.do"
> > type="org.apache.struts.actions.ForwardAction"
> > parameter="Welcome.do"/>
> >
> > won't work.
> >
> > -----------------------
> >
> > BTW, how wud u use html:form to display
> > login fields?
> >
> > I can't get struts tag to work with login fields
> > except for using things like:
> >
> > <form action="j_security_check" method="POST">
> > Username: <input type="text" name="j_username"><p>
> > Password: <input type="password" name="j_password"><p>
> > <input type="Submit">
> >
> > </form>
> >
> > ------------------
> >
> > Ok, using filter (as u said) after SecurityFilter wud solve this simply
but
> > I like to stick with pure Struts approach if possible.
> >
> > Thanks
> >
> >
> > > Jason Lea
> > >
> > >
> > >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
RE: SecurityFilter Question?
Posted by Robert Taylor <rt...@mulework.com>.
I haven't been following this thread too closely but
I know its been some what long so if this solution has
already been proposed, I apologize in advance.
We use SecurityFilter and an additional filter which
checks for the Principal in the request. If the Principal exists,
then we can be assured that the user has successfully logged in; at
which point we check to see if the required information is in the
session. If not, then we persist the required information into the session.
If so, then we do nothing. In either case we allow the filter chain to proceed.
It has worked quite nicely so far.
Principal principal = req.getUserPrincipal();
if (principal != null) {
if (req.getSession().getAttribute("requiredInformation") == null) {
// do other login stuff here
}
}
chain.doFilter(req, res);
hth,
robert
> -----Original Message-----
> From: struts Dude [mailto:scea@slingshot.co.nz]
> Sent: Monday, August 30, 2004 8:19 PM
> To: Struts Users Mailing List
> Subject: Re: SecurityFilter Question?
>
>
>
> ----- Original Message -----
> From: "Jason Lea" <ja...@kumachan.net.nz>
> To: "Struts Users Mailing List" <us...@struts.apache.org>
> Sent: Monday, August 30, 2004 6:07 PM
> Subject: Re: SecurityFilter Question?
>
> > >
> > >Can't u do this using an Action? Say, accessing /admin/LogAction.do
> > >invokes SecurityFilter, after authentication by SecurityFilter is passed,
> > >go directly to LogAction as below
> > >
> > >
> >
> > The problem comes if the user bookmarks a url like /user/abc.do, starts
> > up their browser and goes directly to the protected URL. The security
> > filter will take them to the login form, they submit username/password
> > and seucirty filter authenticates them. Once they are authenticated
> > they are redirected back to /users/abc.do - they don't pass through
> > LogAction at all. So I normally have a filter that makes sure the bean
> > is in session from where ever they are called.
> >
>
>
> > You don't have to use a filter though, you could make a base action that
> > does puts the bean into session and have all your actions sub-class that
> > one.
>
> Using action to put bean in Session after SecurityFilter, how is that
> possible when after authentication by SecurityFilter, u taken right
> back to /user/abc.do where u 1st request it and doesn't pass
> through to action attribute as specified in action-mapping of
> struts-config.xml?
>
> I have tried to use action, after authentication, I am indeed taken
> back to the page /admin/logon.do or /user/logon.do and got
> error message in browser:
>
> HTTP Status 400 - Invalid path /admin/Logon was requested
>
> message Invalid path /admin/Logon was requested
>
> description The request sent by the client was syntactically incorrect
> (Invalid path /admin/Logon was requested).
>
> -------------
>
> My action mapping is struts-conf.xml
>
> Both
>
> <action
> path="/admin/Logon.do"
> type="org.apache.struts.actions.ForwardAction"
> parameter="LogAction.do?action=logon"/>
>
> <action
> path="/user/Logon.do"
> type="org.apache.struts.actions.ForwardAction"
> parameter="LogAction.do?action=logon"/>
>
> <!--
> My LogAction extends DispatchAction and will try
> to put User bean in session. -->
>
> or
>
> <action
> path="/admin/Logon.do"
> type="org.apache.struts.actions.ForwardAction"
> parameter="Welcome.do"/>
> <action
> path="/user/Logon.do"
> type="org.apache.struts.actions.ForwardAction"
> parameter="Welcome.do"/>
>
> won't work.
>
> -----------------------
>
> BTW, how wud u use html:form to display
> login fields?
>
> I can't get struts tag to work with login fields
> except for using things like:
>
> <form action="j_security_check" method="POST">
> Username: <input type="text" name="j_username"><p>
> Password: <input type="password" name="j_password"><p>
> <input type="Submit">
>
> </form>
>
> ------------------
>
> Ok, using filter (as u said) after SecurityFilter wud solve this simply but
> I like to stick with pure Struts approach if possible.
>
> Thanks
>
>
> > Jason Lea
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: SecurityFilter Question?
Posted by struts Dude <sc...@slingshot.co.nz>.
----- Original Message -----
From: "Jason Lea" <ja...@kumachan.net.nz>
To: "Struts Users Mailing List" <us...@struts.apache.org>
Sent: Monday, August 30, 2004 6:07 PM
Subject: Re: SecurityFilter Question?
> >
> >Can't u do this using an Action? Say, accessing /admin/LogAction.do
> >invokes SecurityFilter, after authentication by SecurityFilter is passed,
> >go directly to LogAction as below
> >
> >
>
> The problem comes if the user bookmarks a url like /user/abc.do, starts
> up their browser and goes directly to the protected URL. The security
> filter will take them to the login form, they submit username/password
> and seucirty filter authenticates them. Once they are authenticated
> they are redirected back to /users/abc.do - they don't pass through
> LogAction at all. So I normally have a filter that makes sure the bean
> is in session from where ever they are called.
>
> You don't have to use a filter though, you could make a base action that
> does puts the bean into session and have all your actions sub-class that
> one.
Using action to put bean in Session after SecurityFilter, how is that
possible when after authentication by SecurityFilter, u taken right
back to /user/abc.do where u 1st request it and doesn't pass
through to action attribute as specified in action-mapping of
struts-config.xml?
I have tried to use action, after authentication, I am indeed taken
back to the page /admin/logon.do or /user/logon.do and got
error message in browser:
HTTP Status 400 - Invalid path /admin/Logon was requested
message Invalid path /admin/Logon was requested
description The request sent by the client was syntactically incorrect
(Invalid path /admin/Logon was requested).
-------------
My action mapping is struts-conf.xml
Both
<action
path="/admin/Logon.do"
type="org.apache.struts.actions.ForwardAction"
parameter="LogAction.do?action=logon"/>
<action
path="/user/Logon.do"
type="org.apache.struts.actions.ForwardAction"
parameter="LogAction.do?action=logon"/>
<!--
My LogAction extends DispatchAction and will try
to put User bean in session. -->
or
<action
path="/admin/Logon.do"
type="org.apache.struts.actions.ForwardAction"
parameter="Welcome.do"/>
<action
path="/user/Logon.do"
type="org.apache.struts.actions.ForwardAction"
parameter="Welcome.do"/>
won't work.
-----------------------
BTW, how wud u use html:form to display
login fields?
I can't get struts tag to work with login fields
except for using things like:
<form action="j_security_check" method="POST">
Username: <input type="text" name="j_username"><p>
Password: <input type="password" name="j_password"><p>
<input type="Submit">
</form>
------------------
Ok, using filter (as u said) after SecurityFilter wud solve this simply but
I like to stick with pure Struts approach if possible.
Thanks
> Jason Lea
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: SecurityFilter Question?
Posted by Jason Lea <ja...@kumachan.net.nz>.
struts Dude wrote:
>----- Original Message -----
>From: "Jason Lea" <ja...@kumachan.net.nz>
>To: "Struts Users Mailing List" <us...@struts.apache.org>
>Sent: Sunday, August 29, 2004 11:04 PM
>Subject: Re: SecurityFilter Question?
>
>
>
>>As for populating a User bean into a session once they are
>>authenticated.... I have done this in the past with a filter. I place
>>it after the security filter in the chain of filters. It checks if the
>>user is logged in, if they are and there is no session bean, the filter
>>creates+populates the bean and stores it in the session ready for any
>>action that needs to use it.
>>
>>
>
>Can't u do this using an Action? Say, accessing /admin/LogAction.do
>invokes SecurityFilter, after authentication by SecurityFilter is passed,
>go directly to LogAction as below
>
>
The problem comes if the user bookmarks a url like /user/abc.do, starts
up their browser and goes directly to the protected URL. The security
filter will take them to the login form, they submit username/password
and seucirty filter authenticates them. Once they are authenticated
they are redirected back to /users/abc.do - they don't pass through
LogAction at all. So I normally have a filter that makes sure the bean
is in session from where ever they are called.
You don't have to use a filter though, you could make a base action that
does puts the bean into session and have all your actions sub-class that
one.
><action path="/admin/LogAction"
> type="app.LogAction"
> name="logonForm"
> scope="request"
> input="/pages/Logon.jsp"
> parameter="action"
> validate="false">
> <forward
> name="success"
> path="/pages/Welcome.jsp"/>
> </action>
>
>Within LogAction class, construct User bean from logonForm and
>add it to session. Is that possible or is the request parameters from
>logonForm lost?
>
>Can u be more specific of how u use a filter right after security
>filter to populate User bean and put it in Session?
>
>
example:
public class LoginFilter implements Filter {
public static final String USER_BEAN_KEY = "USER_BEAN_KEY";
private FilterConfig filterConfig;
public void init(FilterConfig config) throws ServletException {
this.filterConfig = config;
}
public void destroy() {
}
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)req;
HttpSession session = request.getSession();
if (null == session.getAttribute(USER_BEAN_KEY)
&& null != request.getUserPrincipal()) {
session.setAttribute(USER_BEAN_KEY, request.getUserPrincipal());
// do your post authentication stuff here
Principal principal = request.getUserPrincipal();
...
}
chain.doFilter(req, res);
}
}
and in the web.xml:
<filter-mapping>
<filter-name>Security Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>LoginFilter</filter-name>
</filter-mapping>
>I am thinking of somehow constructing User bean in subclass
>of SimpleSecurityRealmBase, then if authentication pass,
>store this bean somehow and pass it along to requested Action
>specified in struts-config.xml.
>
>Another idea is to somehow integrate SimpleSecurityRealmBase
>into an Action class...
>
>Thanks
>
>
>
>>In the struts config you can add a role="admin" parameter. It means
>>struts will check that the user has that role before it allows the
>>action to be executed. Can't remember what happens if they are not
>>authenticated - might throw an exception that you can catch and display
>>an error message?
>>
>>struts Dude wrote:
>>
>>
>>
>>>Hi Jason,
>>>
>>>How do I use a login form that branch out to 2
>>>restricted area depending on user's role using
>>>SecurityFilter? i.e.
>>>- if user has user role and log on, give access
>>> to /user/*
>>>- if user has admin role and log on, give access
>>> to /admin/*
>>>
>>>The only way I can think of how to do this is to
>>>use 2 links to 2 login forms, 1 form for each.
>>>
>>>BTW, can I assign roles for each Action in
>>>struts-config.xml so that I don't have to
>>>prefix path attribute of each Action with
>>>/user or /admin?
>>>
>>>
>>>Thanks
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>>For additional commands, e-mail: user-help@struts.apache.org
>>>
>>>
>>>
>>>
>>>
>>>
>>--
>>Jason Lea
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>>For additional commands, e-mail: user-help@struts.apache.org
>>
>>
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
--
Jason Lea
Re: SecurityFilter Question?
Posted by struts Dude <sc...@slingshot.co.nz>.
----- Original Message -----
From: "Jason Lea" <ja...@kumachan.net.nz>
To: "Struts Users Mailing List" <us...@struts.apache.org>
Sent: Sunday, August 29, 2004 11:04 PM
Subject: Re: SecurityFilter Question?
> As for populating a User bean into a session once they are
> authenticated.... I have done this in the past with a filter. I place
> it after the security filter in the chain of filters. It checks if the
> user is logged in, if they are and there is no session bean, the filter
> creates+populates the bean and stores it in the session ready for any
> action that needs to use it.
Can't u do this using an Action? Say, accessing /admin/LogAction.do
invokes SecurityFilter, after authentication by SecurityFilter is passed,
go directly to LogAction as below
<action path="/admin/LogAction"
type="app.LogAction"
name="logonForm"
scope="request"
input="/pages/Logon.jsp"
parameter="action"
validate="false">
<forward
name="success"
path="/pages/Welcome.jsp"/>
</action>
Within LogAction class, construct User bean from logonForm and
add it to session. Is that possible or is the request parameters from
logonForm lost?
Can u be more specific of how u use a filter right after security
filter to populate User bean and put it in Session?
I am thinking of somehow constructing User bean in subclass
of SimpleSecurityRealmBase, then if authentication pass,
store this bean somehow and pass it along to requested Action
specified in struts-config.xml.
Another idea is to somehow integrate SimpleSecurityRealmBase
into an Action class...
Thanks
>
> In the struts config you can add a role="admin" parameter. It means
> struts will check that the user has that role before it allows the
> action to be executed. Can't remember what happens if they are not
> authenticated - might throw an exception that you can catch and display
> an error message?
>
> struts Dude wrote:
>
> >Hi Jason,
> >
> >How do I use a login form that branch out to 2
> >restricted area depending on user's role using
> >SecurityFilter? i.e.
> > - if user has user role and log on, give access
> > to /user/*
> >- if user has admin role and log on, give access
> > to /admin/*
> >
> >The only way I can think of how to do this is to
> >use 2 links to 2 login forms, 1 form for each.
> >
> >BTW, can I assign roles for each Action in
> >struts-config.xml so that I don't have to
> >prefix path attribute of each Action with
> >/user or /admin?
> >
> >
> >Thanks
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> >For additional commands, e-mail: user-help@struts.apache.org
> >
> >
> >
> >
>
>
> --
> Jason Lea
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: SecurityFilter Question?
Posted by Jason Lea <ja...@kumachan.net.nz>.
I guess it depends on what sort of application you have.
Normally, you might display a welcome page and give access to all the
stuff that doesn't need a user to login. If everything requires them to
be authenticated, you could just display the welcome + the login form.
Once they log in, display some sort of welcome page for that user. This
might have the menu of links they can use. If you use tiles you can
insert a tile for a user or admin based on role eg <tiles:insert
name="menu-user.jsp" role="user"/>
Or use the struts logic tag <logic:present role="user,guest"> which
would allow only roles user and guest.
Another way is just to display the link to an action in /user/*, if they
click on the link and they are not authenticated or have the role of
'user' they will be directed to the login form. Once they login and
they have the role of 'user' then they will get to the /user/* action
they requested at the start. So you don't need to do any thing special
in this case.
As for populating a User bean into a session once they are
authenticated.... I have done this in the past with a filter. I place
it after the security filter in the chain of filters. It checks if the
user is logged in, if they are and there is no session bean, the filter
creates+populates the bean and stores it in the session ready for any
action that needs to use it.
In the struts config you can add a role="admin" parameter. It means
struts will check that the user has that role before it allows the
action to be executed. Can't remember what happens if they are not
authenticated - might throw an exception that you can catch and display
an error message?
struts Dude wrote:
>Hi Jason,
>
>How do I use a login form that branch out to 2
>restricted area depending on user's role using
>SecurityFilter? i.e.
> - if user has user role and log on, give access
> to /user/*
>- if user has admin role and log on, give access
> to /admin/*
>
>The only way I can think of how to do this is to
>use 2 links to 2 login forms, 1 form for each.
>
>BTW, can I assign roles for each Action in
>struts-config.xml so that I don't have to
>prefix path attribute of each Action with
>/user or /admin?
>
>
>Thanks
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
--
Jason Lea
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: SecurityFilter Question?
Posted by struts Dude <sc...@slingshot.co.nz>.
Hi Jason,
How do I use a login form that branch out to 2
restricted area depending on user's role using
SecurityFilter? i.e.
- if user has user role and log on, give access
to /user/*
- if user has admin role and log on, give access
to /admin/*
The only way I can think of how to do this is to
use 2 links to 2 login forms, 1 form for each.
BTW, can I assign roles for each Action in
struts-config.xml so that I don't have to
prefix path attribute of each Action with
/user or /admin?
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: SecurityFilter Question?
Posted by Jason Lea <ja...@kumachan.net.nz>.
These should go to your login action, not the page hidden under the WEB-INF
<form-login-page>/WEB-INF/pages/Login.jsp</form-login-page>
<form-error-page>/WEB-INF/pages/error.jsp</form-error-page>
eg <form-login-page>/LoginFormAction.do</form-login-page>
Which should probably just forward to the /WEB-INF/pages/Login.jsp
struts Dude wrote:
>Hi
>
>Can someone give me a few pointers on using SecurityFilter
>with Struts? This can save me potentially hrs of debugging.
>
>My securityfilter-config.xml is:
>
><?xml version="1.0" encoding="ISO-8859-1"?>
>
><!DOCTYPE securityfilter-config PUBLIC
> "-//SecurityFilter.org//DTD Security Filter Configuration 1.1//EN"
> "http://www.securityfilter.org/dtd/securityfilter-config_1_1.dtd">
>
><securityfilter-config>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Admin Page</web-resource-name>
> <url-pattern>/admin/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>User Page</web-resource-name>
> <url-pattern>/user/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>/WEB-INF/pages/Login.jsp</form-login-page>
> <form-error-page>/WEB-INF/pages/error.jsp</form-error-page>
> <form-default-page>/index.jsp</form-default-page>
> </form-login-config>
> </login-config>
>
> <realm className="app.IbatisSecurityRealm">
> <realm-param name="exampleProperty" value="it works!" />
> </realm>
>
></securityfilter-config>
>
>Now my struts-config.xml has something like
>
> <action path="/LogAction"
> type="app.LogAction"
> name="logonForm"
> scope="request"
> input="/WEB-INF/pages/Logon.jsp"
> parameter="action"
> validate="false">
> <forward
> name="success"
> path="/WEB-INF/pages/Welcome.jsp"/>
> </action>
>
>
>And the path of every action in struts-config.xml will be
>prefixed with either /admin/ or /user/ except for
>those actions that forwards to Home page, login and
>free info JSP page.
>
>Now Login.jsp has a submit button that will invoke LogAction,
>which will put a User bean in Session once user is validated.
>
>** Now according to document on SecurityFilter, SecurityFilter
>supports "unsolicited" login requests => when I press submit
>button on Login.jsp, is authentication by SecurityFilter
>class called first or authentication by LogAction called
>first ???
>
>
SecurityFilter does it's check first because you will have the filter in
web.xml
<filter-mapping>
<filter-name>Security Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
So all requests will go through securtity filter first. The filter then
looks for /admin/* etc in the url to decide if you need to be authenticated.
>** Can I use Struts html tags in Logon.jsp to work with
>SecurityFilter? E.g.
><html:form action="/LogAction" focus="j_username">
>
>
yes
>** If authentication by SecurityFilter is processed first,
>then I don't really need to authenticate user in LogAction
>class but simply put User bean in Session, right ???
>
>
Your action "LogAction" does not need authentication from what you have
in your security filter config. You could change your action so it is
something like this:
<action path="/user/LogAction"
or
<action path="/admin/LogAction"
Then you will have to go to /user/LogAction.do or /admin/LogAction.do,
and security filter will make sure you are logged in or redirect you to
the login form.
>Since SecurityFilter will do the authentication for me
>and direct page to error.jsp if validation failed.
>
>** If validation fails, can I still queue error message
>(ActionError) in LogAction so that error.jsp will
>display it?
>
>
Yes. Perhaps you should redirect to LoginError.do instead and put the
ActionError in there.
>
>
>Thanks
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>For additional commands, e-mail: user-help@struts.apache.org
>
>
>
>
--
Jason Lea
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org