Return-Path: <Craig.McClanahan@eng.sun.com>
Mailing-List: contact struts-user-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list struts-user@jakarta.apache.org
Received: (qmail 30846 invoked from network); 4 Oct 2000 20:15:02 -0000
Received: from mercury.sun.com (192.9.25.1)
  by locus.apache.org with SMTP; 4 Oct 2000 20:15:02 -0000
Received: from taller.eng.sun.com ([129.144.174.34])
	by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id NAA13448
	for <struts-user@jakarta.apache.org>; Wed, 4 Oct 2000 13:15:00 -0700 (PDT)
Received: from eng.sun.com (florence [129.144.251.146])
	by taller.eng.sun.com (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id NAA07730
	for <struts-user@jakarta.apache.org>; Wed, 4 Oct 2000 13:14:59 -0700 (PDT)
Message-ID: <39DB9005.4E9FC988@eng.sun.com>
Date: Wed, 04 Oct 2000 13:16:05 -0700
From: "Craig R. McClanahan" <Craig.McClanahan@eng.sun.com>
X-Mailer: Mozilla 4.75 [en]C-CCK-MCD {Sony}  (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: struts-user@jakarta.apache.org
Subject: Re: Authentication and Authoirzation
References: <2D90C2075E27D4118960000629A832E5CE93D9@scooby.corp.bspark.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N

See intermixed.

Colin Sampaleanu wrote:

> > -----Original Message-----
> > From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
> > Sent: October 4, 2000 2:26 PM
> > To: struts-user@jakarta.apache.org
> > Subject: Re: Authentication and Authoirzation
> >
> > Melroy Rodrigues wrote:
> >
> > > Hi,
> > >
> > > Does anyone know if I will be able to use the
> > > RDBMSRealm for authentication and then the ACls
> > > in web.xml for authorization with Struts?
> > >
> > > Thanks
> > > Melroy
> >
> > You can certainly use the container-managed security features of the
> > Servlet 2.2 specification in a Struts application.  The
> > reason I did not
> > do so in the example is that, unfortunately, how you tell
> > your container
> > where to find the list of users and their roles is specific to each
> > container (not portable).  For example, Tomcat lets you configure an
> > appropriate Realm implementation -- other containers do it
> > differently.
> >
> > Struts, on the other hand, does not care how authentication
> > is done, and
> > it doesn't enforce the authentication and access control rules because
> > the container does it for you.
>
> There is a fundamental problem in using the declarative (path-based)
> security feature of Servlet 2.2 containers, in an environment running both
> Servlets and JSPs. This is the approach we tried initially, but we gave it
> up for another way... The problem is that when your servlets redirect to
> JSPs the browser doesn't know anything about it, and assumes all relative
> resource references (hrefs, etc.), are off the original path.
>

That is true, but it's also a problem whether or not you are using declarative
security, right?

Here are two approaches to dealing with it:

* Use extension mapping (like the example app does) and no subdirectories
  in the document root.  That way, the relative references still work correctly
  because the browser thinks that the actions and the pages are all at the
  same "directory level".

* Use the (fairly new) <struts:base/> tag somewhere in the <head> section
  of your JSP page.  This generates something like this:

    <base href="{URL-of-the-JSP-page}">

  so that relative references work no matter what URL was used to call
  the action (i.e. the URL that is still showing in the browser window).

Craig


====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat