You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Matt Raible <MR...@RESORTQUEST.com> on 2003/10/07 01:12:52 UTC
RE: Container-Managed Authentication in web.xml vs
. Specifying Paths in the struts-config.xml
A JDBCRealm can use BASIC authentication - it doesn't require form-based.
Here's an example app that might help you out:
http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample
HTH,
Matt
-----Original Message-----
From: Caroline Jen [mailto:jiapei_jen@yahoo.com]
Sent: Monday, October 06, 2003 4:45 PM
To: struts-user@jakarta.apache.org
Subject: Container-Managed Authentication <login-config> in web.xml vs.
Specifying Paths in the struts-config.xml
I use the Tomcat. I configured the Tomcat JDBCRealm
so that I can use programmic security testing, such as
isUserInRole(), in my program.
Because Tomcat JDBCRealm is form based, I inserted the
<login-config> and its sub-elements in my web.xml file
(see below). As we know, the <form-login-page> and
<form-error-page> are required.
My question is that the container-managed
authentication does not seem to be consistent with
what we usually do in struts; e.g. we state the
logical name and path for each .jsp page in the
struts-config.xml file.
What is the Struts convention in dealing with user
authentication? Should we specify the paths for the
logon page and error page in the struts.config.xml or
we should use the <form-login-page> and
<form-error-page> in the web.xml file?
======================================================
<security-constraint>
<web-resource-collection>
<web-resource-name>SalesInfo</web-resource-name>
<url-pattern>/SalesInfo/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/authentication/login.html</form-login-page>
<form-error-page>/authentication/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>manager</role-name>
</security-role>
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Container-Managed Authentication in web.xml vs . Specifying Paths in the struts-config.xml
Posted by Caroline Jen <ji...@yahoo.com>.
Thanks a lot, Andrew. I got the idea.
--- Andrew Shirk <sh...@ncsa.uiuc.edu> wrote:
> Logical paths work fine for me in web.xml (using
> tomcat 4.1.x):
>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>
> /do/login/edit
> </form-login-page>
> <form-error-page>
> /do/login/fail
> </form-error-page>
> </form-login-config>
> </login-config>
>
> Andrew
>
> At 03:11 PM 10/7/2003, you wrote:
> >People answer questions without reading my original
> >post. Therefore, I must re-type my original
> question
> >again.
> >
> >Before I posted my question, I had configured the
> >Tomcat JDBCRealm following the instructions at
>
>http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
> >so that I can do security testing programmically,
> such
> >as isUserInRole(), in my program.
> >
> >If I use form based authentication, I insert the
> ><login-config> and its sub-elements in my web.xml
> file
> >(see below). As we know, the <form-login-page> and
> ><form-error-page> are required.
> >
> >My question is that the container-managed
> >authentication (we provide login page and error
> page
> >in the web.xml) does not seem to be consistent with
> >what we usually do in struts; e.g. we state the
> >logical name and path for each .jsp page in the
> >struts-config.xml file.
> >
> >What is the Struts convention in dealing with user
> >authentication? Should we specify the paths for
> the
> >logon page and error page in the struts.config.xml
> or
> >we should use the <form-login-page> and
> ><form-error-page> in the web.xml file?
> >
> >Thanks.
> >--- "Craig R. McClanahan" <cr...@apache.org>
> wrote:
> > > Caroline Jen wrote:
> > >
> > > >But, I do not want to use BASIC authentication.
> I
> > > >have many different roles and hundreds of
> people
> > > per
> > > >role. Users' name, role, etc. are stored in a
> > > >database.
> > > >
> > > How authentication is performed (BASIC,
> form-based,
> > > DIGEST, or SSL
> > > client certificates) and how users are stored
> > > (database, directory
> > > server, local XML file, ...) are two separate
> > > questions. For most
> > > servers , any combination is possible. With
> Tomcat,
> > > for example, you
> > > can configure JDBCRealm to point at your user
> and
> > > role definitions in a
> > > database, and then use those users with any of
> the
> > > authentication
> > > methods. For more information, see:
> > >
> > >
> > >
>
>http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
> > >
> > > The choice between BASIC and form-based
> > > authentication, then, can be
> > > based on user interface related concerns, rather
> > > than worrying about a
> > > database.
> > >
> > > Craig
> > >
> > > >--- Matt Raible <MR...@RESORTQUEST.com>
> wrote:
> > > >
> > > >
> > > >>A JDBCRealm can use BASIC authentication - it
> > > >>doesn't require form-based.
> > > >>Here's an example app that might help you out:
> > > >>
> > > >>
> > > >>
> > > >>
> > >
> >
>
>http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample
> > > >
> > > >
> > > >>HTH,
> > > >>
> > > >>Matt
> > > >>
> > > >>-----Original Message-----
> > > >>From: Caroline Jen
> [mailto:jiapei_jen@yahoo.com]
> > > >>Sent: Monday, October 06, 2003 4:45 PM
> > > >>To: struts-user@jakarta.apache.org
> > > >>Subject: Container-Managed Authentication
> > > >><login-config> in web.xml vs.
> > > >>Specifying Paths in the struts-config.xml
> > > >>
> > > >>
> > > >>I use the Tomcat. I configured the Tomcat
> > > JDBCRealm
> > > >>so that I can use programmic security testing,
> > > such
> > > >>as
> > > >>isUserInRole(), in my program.
> > > >>
> > > >>Because Tomcat JDBCRealm is form based, I
> inserted
> > > >>the
> > > >><login-config> and its sub-elements in my
> web.xml
> > > >>file
> > > >>(see below). As we know, the
> <form-login-page>
> > > and
> > > >><form-error-page> are required.
> > > >>
> > > >>My question is that the container-managed
> > > >>authentication does not seem to be consistent
> with
> > > >>what we usually do in struts; e.g. we state
> the
> > > >>logical name and path for each .jsp page in
> the
> > > >>struts-config.xml file.
> > > >>
> > > >>What is the Struts convention in dealing with
> user
> > > >>authentication? Should we specify the paths
> for
> > > the
> > > >>logon page and error page in the
> struts.config.xml
> > > >>or
> > > >>we should use the <form-login-page> and
> > > >><form-error-page> in the web.xml file?
> > > >>
> > > >>
> > > >>
> > > >>
> > >
> >
>
>======================================================
> > > >
> > > >
> > > >><security-constraint>
> > > >> <web-resource-collection>
> > > >>
> > >
> >><web-resource-name>SalesInfo</web-resource-name>
> > > >> <url-pattern>/SalesInfo/*</url-pattern>
> > > >> <http-method>GET</http-method>
> > > >> <http-method>POST</http-method>
> > > >> </web-resource-collection>
> > > >> <auth-constraint>
> > > >> <role-name>manager</role-name>
> > > >> </auth-constraint>
> > > >> <user-data-constraint>
> > > >>
> > >
> >><transport-guarantee>NONE</transport-guarantee>
> > > >> </user-data-constraint>
> > > >></security-constraint>
> > > >>
> > > >><login-config>
> > > >> <auth-method>FORM</auth-method>
> > > >> <form-login-config>
> > > >>
> > > >>
> > > >>
> > > >>
> > >
> >
>
><form-login-page>/authentication/login.html</form-login-page>
> > > >
>
=== message truncated ===
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Container-Managed Authentication in web.xml
vs . Specifying Paths in the struts-config.xml
Posted by Andrew Shirk <sh...@ncsa.uiuc.edu>.
Logical paths work fine for me in web.xml (using tomcat 4.1.x):
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>
/do/login/edit
</form-login-page>
<form-error-page>
/do/login/fail
</form-error-page>
</form-login-config>
</login-config>
Andrew
At 03:11 PM 10/7/2003, you wrote:
>People answer questions without reading my original
>post. Therefore, I must re-type my original question
>again.
>
>Before I posted my question, I had configured the
>Tomcat JDBCRealm following the instructions at
>http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
>so that I can do security testing programmically, such
>as isUserInRole(), in my program.
>
>If I use form based authentication, I insert the
><login-config> and its sub-elements in my web.xml file
>(see below). As we know, the <form-login-page> and
><form-error-page> are required.
>
>My question is that the container-managed
>authentication (we provide login page and error page
>in the web.xml) does not seem to be consistent with
>what we usually do in struts; e.g. we state the
>logical name and path for each .jsp page in the
>struts-config.xml file.
>
>What is the Struts convention in dealing with user
>authentication? Should we specify the paths for the
>logon page and error page in the struts.config.xml or
>we should use the <form-login-page> and
><form-error-page> in the web.xml file?
>
>Thanks.
>--- "Craig R. McClanahan" <cr...@apache.org> wrote:
> > Caroline Jen wrote:
> >
> > >But, I do not want to use BASIC authentication. I
> > >have many different roles and hundreds of people
> > per
> > >role. Users' name, role, etc. are stored in a
> > >database.
> > >
> > How authentication is performed (BASIC, form-based,
> > DIGEST, or SSL
> > client certificates) and how users are stored
> > (database, directory
> > server, local XML file, ...) are two separate
> > questions. For most
> > servers , any combination is possible. With Tomcat,
> > for example, you
> > can configure JDBCRealm to point at your user and
> > role definitions in a
> > database, and then use those users with any of the
> > authentication
> > methods. For more information, see:
> >
> >
> >
>http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
> >
> > The choice between BASIC and form-based
> > authentication, then, can be
> > based on user interface related concerns, rather
> > than worrying about a
> > database.
> >
> > Craig
> >
> > >--- Matt Raible <MR...@RESORTQUEST.com> wrote:
> > >
> > >
> > >>A JDBCRealm can use BASIC authentication - it
> > >>doesn't require form-based.
> > >>Here's an example app that might help you out:
> > >>
> > >>
> > >>
> > >>
> >
> >http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample
> > >
> > >
> > >>HTH,
> > >>
> > >>Matt
> > >>
> > >>-----Original Message-----
> > >>From: Caroline Jen [mailto:jiapei_jen@yahoo.com]
> > >>Sent: Monday, October 06, 2003 4:45 PM
> > >>To: struts-user@jakarta.apache.org
> > >>Subject: Container-Managed Authentication
> > >><login-config> in web.xml vs.
> > >>Specifying Paths in the struts-config.xml
> > >>
> > >>
> > >>I use the Tomcat. I configured the Tomcat
> > JDBCRealm
> > >>so that I can use programmic security testing,
> > such
> > >>as
> > >>isUserInRole(), in my program.
> > >>
> > >>Because Tomcat JDBCRealm is form based, I inserted
> > >>the
> > >><login-config> and its sub-elements in my web.xml
> > >>file
> > >>(see below). As we know, the <form-login-page>
> > and
> > >><form-error-page> are required.
> > >>
> > >>My question is that the container-managed
> > >>authentication does not seem to be consistent with
> > >>what we usually do in struts; e.g. we state the
> > >>logical name and path for each .jsp page in the
> > >>struts-config.xml file.
> > >>
> > >>What is the Struts convention in dealing with user
> > >>authentication? Should we specify the paths for
> > the
> > >>logon page and error page in the struts.config.xml
> > >>or
> > >>we should use the <form-login-page> and
> > >><form-error-page> in the web.xml file?
> > >>
> > >>
> > >>
> > >>
> >
> >======================================================
> > >
> > >
> > >><security-constraint>
> > >> <web-resource-collection>
> > >>
> > >><web-resource-name>SalesInfo</web-resource-name>
> > >> <url-pattern>/SalesInfo/*</url-pattern>
> > >> <http-method>GET</http-method>
> > >> <http-method>POST</http-method>
> > >> </web-resource-collection>
> > >> <auth-constraint>
> > >> <role-name>manager</role-name>
> > >> </auth-constraint>
> > >> <user-data-constraint>
> > >>
> > >><transport-guarantee>NONE</transport-guarantee>
> > >> </user-data-constraint>
> > >></security-constraint>
> > >>
> > >><login-config>
> > >> <auth-method>FORM</auth-method>
> > >> <form-login-config>
> > >>
> > >>
> > >>
> > >>
> >
> ><form-login-page>/authentication/login.html</form-login-page>
> > >
> > >
> > >>
> > >>
> > >>
> > >>
> >
> ><form-error-page>/authentication/error.html</form-error-page>
> > >
> > >
> > >></form-login-config>
> > >>
> > >></login-config>
> > >>
> > >><security-role>
> > >> <role-name>manager</role-name>
> > >></security-role>
> > >>
> > >>
> > >>
> > >>
> > >>__________________________________
> > >>Do you Yahoo!?
> > >>The New Yahoo! Shopping - with improved product
> > >>search
> > >>http://shopping.yahoo.com
> > >>
> > >>
> > >>
> > >>
> >
> >---------------------------------------------------------------------
> > >
> > >
> > >>To unsubscribe, e-mail:
> > >>struts-user-unsubscribe@jakarta.apache.org
> > >>For additional commands, e-mail:
> > >>struts-user-help@jakarta.apache.org
> > >>
> > >>
> > >>
> > >>
> >
> >---------------------------------------------------------------------
> > >
> > >
> > >>To unsubscribe, e-mail:
> > >>struts-user-unsubscribe@jakarta.apache.org
> > >>For additional commands, e-mail:
> > >>struts-user-help@jakarta.apache.org
> > >>
> > >>
> > >>
> > >
> > >
> > >__________________________________
> > >Do you Yahoo!?
> > >The New Yahoo! Shopping - with improved product
> > search
> > >http://shopping.yahoo.com
> > >
> >
> >---------------------------------------------------------------------
> > >To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > >For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> > >
> > >
> >
> >
> >
> >
>---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > struts-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail:
> > struts-user-help@jakarta.apache.org
> >
>
>
>__________________________________
>Do you Yahoo!?
>The New Yahoo! Shopping - with improved product search
>http://shopping.yahoo.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Container-Managed Authentication in web.xml vs . Specifying Paths in the struts-config.xml
Posted by Caroline Jen <ji...@yahoo.com>.
People answer questions without reading my original
post. Therefore, I must re-type my original question
again.
Before I posted my question, I had configured the
Tomcat JDBCRealm following the instructions at
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
so that I can do security testing programmically, such
as isUserInRole(), in my program.
If I use form based authentication, I insert the
<login-config> and its sub-elements in my web.xml file
(see below). As we know, the <form-login-page> and
<form-error-page> are required.
My question is that the container-managed
authentication (we provide login page and error page
in the web.xml) does not seem to be consistent with
what we usually do in struts; e.g. we state the
logical name and path for each .jsp page in the
struts-config.xml file.
What is the Struts convention in dealing with user
authentication? Should we specify the paths for the
logon page and error page in the struts.config.xml or
we should use the <form-login-page> and
<form-error-page> in the web.xml file?
Thanks.
--- "Craig R. McClanahan" <cr...@apache.org> wrote:
> Caroline Jen wrote:
>
> >But, I do not want to use BASIC authentication. I
> >have many different roles and hundreds of people
> per
> >role. Users' name, role, etc. are stored in a
> >database.
> >
> How authentication is performed (BASIC, form-based,
> DIGEST, or SSL
> client certificates) and how users are stored
> (database, directory
> server, local XML file, ...) are two separate
> questions. For most
> servers , any combination is possible. With Tomcat,
> for example, you
> can configure JDBCRealm to point at your user and
> role definitions in a
> database, and then use those users with any of the
> authentication
> methods. For more information, see:
>
>
>
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
>
> The choice between BASIC and form-based
> authentication, then, can be
> based on user interface related concerns, rather
> than worrying about a
> database.
>
> Craig
>
> >--- Matt Raible <MR...@RESORTQUEST.com> wrote:
> >
> >
> >>A JDBCRealm can use BASIC authentication - it
> >>doesn't require form-based.
> >>Here's an example app that might help you out:
> >>
> >>
> >>
> >>
>
>http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample
> >
> >
> >>HTH,
> >>
> >>Matt
> >>
> >>-----Original Message-----
> >>From: Caroline Jen [mailto:jiapei_jen@yahoo.com]
> >>Sent: Monday, October 06, 2003 4:45 PM
> >>To: struts-user@jakarta.apache.org
> >>Subject: Container-Managed Authentication
> >><login-config> in web.xml vs.
> >>Specifying Paths in the struts-config.xml
> >>
> >>
> >>I use the Tomcat. I configured the Tomcat
> JDBCRealm
> >>so that I can use programmic security testing,
> such
> >>as
> >>isUserInRole(), in my program.
> >>
> >>Because Tomcat JDBCRealm is form based, I inserted
> >>the
> >><login-config> and its sub-elements in my web.xml
> >>file
> >>(see below). As we know, the <form-login-page>
> and
> >><form-error-page> are required.
> >>
> >>My question is that the container-managed
> >>authentication does not seem to be consistent with
> >>what we usually do in struts; e.g. we state the
> >>logical name and path for each .jsp page in the
> >>struts-config.xml file.
> >>
> >>What is the Struts convention in dealing with user
> >>authentication? Should we specify the paths for
> the
> >>logon page and error page in the struts.config.xml
> >>or
> >>we should use the <form-login-page> and
> >><form-error-page> in the web.xml file?
> >>
> >>
> >>
> >>
>
>======================================================
> >
> >
> >><security-constraint>
> >> <web-resource-collection>
> >>
> >><web-resource-name>SalesInfo</web-resource-name>
> >> <url-pattern>/SalesInfo/*</url-pattern>
> >> <http-method>GET</http-method>
> >> <http-method>POST</http-method>
> >> </web-resource-collection>
> >> <auth-constraint>
> >> <role-name>manager</role-name>
> >> </auth-constraint>
> >> <user-data-constraint>
> >>
> >><transport-guarantee>NONE</transport-guarantee>
> >> </user-data-constraint>
> >></security-constraint>
> >>
> >><login-config>
> >> <auth-method>FORM</auth-method>
> >> <form-login-config>
> >>
> >>
> >>
> >>
>
><form-login-page>/authentication/login.html</form-login-page>
> >
> >
> >>
> >>
> >>
> >>
>
><form-error-page>/authentication/error.html</form-error-page>
> >
> >
> >></form-login-config>
> >>
> >></login-config>
> >>
> >><security-role>
> >> <role-name>manager</role-name>
> >></security-role>
> >>
> >>
> >>
> >>
> >>__________________________________
> >>Do you Yahoo!?
> >>The New Yahoo! Shopping - with improved product
> >>search
> >>http://shopping.yahoo.com
> >>
> >>
> >>
> >>
>
>---------------------------------------------------------------------
> >
> >
> >>To unsubscribe, e-mail:
> >>struts-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail:
> >>struts-user-help@jakarta.apache.org
> >>
> >>
> >>
> >>
>
>---------------------------------------------------------------------
> >
> >
> >>To unsubscribe, e-mail:
> >>struts-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail:
> >>struts-user-help@jakarta.apache.org
> >>
> >>
> >>
> >
> >
> >__________________________________
> >Do you Yahoo!?
> >The New Yahoo! Shopping - with improved product
> search
> >http://shopping.yahoo.com
> >
>
>---------------------------------------------------------------------
> >To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
> >
> >
>
>
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
>
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
Re: Container-Managed Authentication in web.xml vs
. Specifying Paths in the struts-config.xml
Posted by "Craig R. McClanahan" <cr...@apache.org>.
Caroline Jen wrote:
>But, I do not want to use BASIC authentication. I
>have many different roles and hundreds of people per
>role. Users' name, role, etc. are stored in a
>database.
>
How authentication is performed (BASIC, form-based, DIGEST, or SSL
client certificates) and how users are stored (database, directory
server, local XML file, ...) are two separate questions. For most
servers , any combination is possible. With Tomcat, for example, you
can configure JDBCRealm to point at your user and role definitions in a
database, and then use those users with any of the authentication
methods. For more information, see:
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
The choice between BASIC and form-based authentication, then, can be
based on user interface related concerns, rather than worrying about a
database.
Craig
>--- Matt Raible <MR...@RESORTQUEST.com> wrote:
>
>
>>A JDBCRealm can use BASIC authentication - it
>>doesn't require form-based.
>>Here's an example app that might help you out:
>>
>>
>>
>>
>http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample
>
>
>>HTH,
>>
>>Matt
>>
>>-----Original Message-----
>>From: Caroline Jen [mailto:jiapei_jen@yahoo.com]
>>Sent: Monday, October 06, 2003 4:45 PM
>>To: struts-user@jakarta.apache.org
>>Subject: Container-Managed Authentication
>><login-config> in web.xml vs.
>>Specifying Paths in the struts-config.xml
>>
>>
>>I use the Tomcat. I configured the Tomcat JDBCRealm
>>so that I can use programmic security testing, such
>>as
>>isUserInRole(), in my program.
>>
>>Because Tomcat JDBCRealm is form based, I inserted
>>the
>><login-config> and its sub-elements in my web.xml
>>file
>>(see below). As we know, the <form-login-page> and
>><form-error-page> are required.
>>
>>My question is that the container-managed
>>authentication does not seem to be consistent with
>>what we usually do in struts; e.g. we state the
>>logical name and path for each .jsp page in the
>>struts-config.xml file.
>>
>>What is the Struts convention in dealing with user
>>authentication? Should we specify the paths for the
>>logon page and error page in the struts.config.xml
>>or
>>we should use the <form-login-page> and
>><form-error-page> in the web.xml file?
>>
>>
>>
>>
>======================================================
>
>
>><security-constraint>
>> <web-resource-collection>
>>
>><web-resource-name>SalesInfo</web-resource-name>
>> <url-pattern>/SalesInfo/*</url-pattern>
>> <http-method>GET</http-method>
>> <http-method>POST</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>manager</role-name>
>> </auth-constraint>
>> <user-data-constraint>
>>
>><transport-guarantee>NONE</transport-guarantee>
>> </user-data-constraint>
>></security-constraint>
>>
>><login-config>
>> <auth-method>FORM</auth-method>
>> <form-login-config>
>>
>>
>>
>>
><form-login-page>/authentication/login.html</form-login-page>
>
>
>>
>>
>>
>>
><form-error-page>/authentication/error.html</form-error-page>
>
>
>></form-login-config>
>>
>></login-config>
>>
>><security-role>
>> <role-name>manager</role-name>
>></security-role>
>>
>>
>>
>>
>>__________________________________
>>Do you Yahoo!?
>>The New Yahoo! Shopping - with improved product
>>search
>>http://shopping.yahoo.com
>>
>>
>>
>>
>---------------------------------------------------------------------
>
>
>>To unsubscribe, e-mail:
>>struts-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail:
>>struts-user-help@jakarta.apache.org
>>
>>
>>
>>
>---------------------------------------------------------------------
>
>
>>To unsubscribe, e-mail:
>>struts-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail:
>>struts-user-help@jakarta.apache.org
>>
>>
>>
>
>
>__________________________________
>Do you Yahoo!?
>The New Yahoo! Shopping - with improved product search
>http://shopping.yahoo.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Container-Managed Authentication in web.xml vs . Specifying Paths in the struts-config.xml
Posted by Navjot Singh <na...@net4india.net>.
you may wish to look upon JAAS if you have so many diff roles and user per
roles.
Anyway, struts lets you specify role atrribute (that takes comma sep values,
i guess)
for each action. If you can extend RequestProcess class and modify the
processRoles() method so you can redirect to any page if the roles are not
valid for that action. etc etc..
Struts,using decalrative roles, tried to make things easier in term sof less
programming efforts and easiness to manage roles . Rest i can't see much
diff. Any opinions?
HTH
Navjot Singh
>-----Original Message-----
>From: Caroline Jen [mailto:jiapei_jen@yahoo.com]
>Sent: Tuesday, October 07, 2003 7:26 AM
>To: Struts Users Mailing List
>Subject: RE: Container-Managed Authentication <login-config> in web.xml
>vs . Specifying Paths in the struts-config.xml
>
>
>But, I do not want to use BASIC authentication. I
>have many different roles and hundreds of people per
>role. Users' name, role, etc. are stored in a
>database.
>--- Matt Raible <MR...@RESORTQUEST.com> wrote:
>> A JDBCRealm can use BASIC authentication - it
>> doesn't require form-based.
>> Here's an example app that might help you out:
>>
>>
>http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample
>>
>> HTH,
>>
>> Matt
>>
>> -----Original Message-----
>> From: Caroline Jen [mailto:jiapei_jen@yahoo.com]
>> Sent: Monday, October 06, 2003 4:45 PM
>> To: struts-user@jakarta.apache.org
>> Subject: Container-Managed Authentication
>> <login-config> in web.xml vs.
>> Specifying Paths in the struts-config.xml
>>
>>
>> I use the Tomcat. I configured the Tomcat JDBCRealm
>> so that I can use programmic security testing, such
>> as
>> isUserInRole(), in my program.
>>
>> Because Tomcat JDBCRealm is form based, I inserted
>> the
>> <login-config> and its sub-elements in my web.xml
>> file
>> (see below). As we know, the <form-login-page> and
>> <form-error-page> are required.
>>
>> My question is that the container-managed
>> authentication does not seem to be consistent with
>> what we usually do in struts; e.g. we state the
>> logical name and path for each .jsp page in the
>> struts-config.xml file.
>>
>> What is the Struts convention in dealing with user
>> authentication? Should we specify the paths for the
>> logon page and error page in the struts.config.xml
>> or
>> we should use the <form-login-page> and
>> <form-error-page> in the web.xml file?
>>
>>
>======================================================
>> <security-constraint>
>> <web-resource-collection>
>>
>> <web-resource-name>SalesInfo</web-resource-name>
>> <url-pattern>/SalesInfo/*</url-pattern>
>> <http-method>GET</http-method>
>> <http-method>POST</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>manager</role-name>
>> </auth-constraint>
>> <user-data-constraint>
>>
>> <transport-guarantee>NONE</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>>
>> <login-config>
>> <auth-method>FORM</auth-method>
>> <form-login-config>
>>
>>
><form-login-page>/authentication/login.html</form-login-page>
>>
>>
><form-error-page>/authentication/error.html</form-error-page>
>> </form-login-config>
>>
>> </login-config>
>>
>> <security-role>
>> <role-name>manager</role-name>
>> </security-role>
>>
>>
>>
>>
>> __________________________________
>> Do you Yahoo!?
>> The New Yahoo! Shopping - with improved product
>> search
>> http://shopping.yahoo.com
>>
>>
>---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> struts-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail:
>> struts-user-help@jakarta.apache.org
>>
>>
>---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> struts-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail:
>> struts-user-help@jakarta.apache.org
>>
>
>
>__________________________________
>Do you Yahoo!?
>The New Yahoo! Shopping - with improved product search
>http://shopping.yahoo.com
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org
RE: Container-Managed Authentication in web.xml vs . Specifying Paths in the struts-config.xml
Posted by Caroline Jen <ji...@yahoo.com>.
But, I do not want to use BASIC authentication. I
have many different roles and hundreds of people per
role. Users' name, role, etc. are stored in a
database.
--- Matt Raible <MR...@RESORTQUEST.com> wrote:
> A JDBCRealm can use BASIC authentication - it
> doesn't require form-based.
> Here's an example app that might help you out:
>
>
http://raibledesigns.com/wiki/Wiki.jsp?page=SecurityExample
>
> HTH,
>
> Matt
>
> -----Original Message-----
> From: Caroline Jen [mailto:jiapei_jen@yahoo.com]
> Sent: Monday, October 06, 2003 4:45 PM
> To: struts-user@jakarta.apache.org
> Subject: Container-Managed Authentication
> <login-config> in web.xml vs.
> Specifying Paths in the struts-config.xml
>
>
> I use the Tomcat. I configured the Tomcat JDBCRealm
> so that I can use programmic security testing, such
> as
> isUserInRole(), in my program.
>
> Because Tomcat JDBCRealm is form based, I inserted
> the
> <login-config> and its sub-elements in my web.xml
> file
> (see below). As we know, the <form-login-page> and
> <form-error-page> are required.
>
> My question is that the container-managed
> authentication does not seem to be consistent with
> what we usually do in struts; e.g. we state the
> logical name and path for each .jsp page in the
> struts-config.xml file.
>
> What is the Struts convention in dealing with user
> authentication? Should we specify the paths for the
> logon page and error page in the struts.config.xml
> or
> we should use the <form-login-page> and
> <form-error-page> in the web.xml file?
>
>
======================================================
> <security-constraint>
> <web-resource-collection>
>
> <web-resource-name>SalesInfo</web-resource-name>
> <url-pattern>/SalesInfo/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>manager</role-name>
> </auth-constraint>
> <user-data-constraint>
>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
>
>
<form-login-page>/authentication/login.html</form-login-page>
>
>
<form-error-page>/authentication/error.html</form-error-page>
> </form-login-config>
>
> </login-config>
>
> <security-role>
> <role-name>manager</role-name>
> </security-role>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product
> search
> http://shopping.yahoo.com
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> struts-user-help@jakarta.apache.org
>
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org