jakarta-cactus-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robertson, Jason" <Jason.Robert...@acs-inc.com>
Subject RE: Testing authentication
Date Tue, 10 Dec 2002 16:40:43 GMT
Form authentication works just like Basic authentication, you just use the
FormAuthentication object instead of the BasicAuthentication object used in
the example.

You can rename the url-pattern of the redirector to whatever you want, as
long as you update the setRedirectorName call as well, or you could add a
second url-pattern to your web-resource-collection that explicitly names
ServletRedirectorSecure (I think I'd prefer the later as it is clearer, and
removes any possibly Stuts-related confusion). 

If you do rename it .do, I'd put ServletRedirectorSecure.do (for example)
before the Struts mapping in your servlet mapping section, since I'd be
concerned the request would go to struts and not the Cactus servlet if the
Struts mapping were listed first (but I'm not sure about that).

You confuse me with the "use a servlet to proxy to form-based
authentication" comment. If *.do is the secured url-pattern, then any
request to a *.do-matching resource will be intercepted by the container and
the login page returned. This login page will then submit the
username/password to somewhere, typically j_security_check. Are you
submitting to somewhere else, then forwarding to j_security_check? If so,
try the setSecurityCheckURL method on FormAuthentication and set it to the
proper place to submit the username/password. (And let us know that it
works, as I don't think that feature has really been tested! :)

Jason

-----Original Message-----
From: Matt Raible [mailto:matt@raibledesigns.com]
Sent: Tuesday, December 10, 2002 12:04 AM
To: cactus-user@jakarta.apache.org
Subject: Testing authentication


I discovered in the mail archives that cactus now supports form-based
authentication.  I'd like to allow for both form-based and basic
authentication testing in my application.

In the documentation at:
http://jakarta.apache.org/cactus/howto_security.html, it mentions coding
for basic authentication using the following code:

public void beginBasicAuthentication(WebRequest theRequest)
{
    theRequest.setRedirectorName("ServletRedirectorSecure");
    theRequest.setAuthentication(
        new BasicAuthentication("testuser", "testpassword"));
}

And in web.xml, you have a url-pattern of:

<url-pattern>/ServletRedirectorSecure</url-pattern>

If my web application uses *.do as it's protected URL, can I configure
this as a RedirectorName?  It seems that this example describes only how
to test cactus/container authentication rather than my application's
configuration.  I can use Xdoclet to switch the two, but I'd rather
configure it to test *.do than the ServletRedirectorySecure.

Also, is there an example of testing form-based authentication?

I'm guessing if I I use a servlet to proxy to form-based authentication,
it might not be need though?

Thanks,

Matt

--
To unsubscribe, e-mail:   <mailto:cactus-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:cactus-user-help@jakarta.apache.org>


Mime
View raw message