struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mick.Knut...@ubsw.com
Subject RE: How to do authentication in different way for different action classes
Date Fri, 04 Apr 2003 06:33:44 GMT
Would this be valid then:

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>Secured Resources</web-resource-name>
         <url-pattern>*.do</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>strutsuser</role-name>
      </auth-constraint>
   </security-constraint>

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>Public Resources</web-resource-name>
         <url-pattern>/Content/*.do</url-pattern>
      </web-resource-collection>
   </security-constraint>


Where /Content is a sub directory of the ROOT directory, and that subDirectory is _NOT_ secured,
but everything else _IS_ secured?

This way I do not have to put all my secured pages under /private/* and I can just intermingle
them.


-----Original Message-----
From: Max Cooper [mailto:max@maxcooper.com]
Sent: Friday, April 04, 2003 3:25 AM
To: Struts Users Mailing List; rakadam@cisco.com
Subject: Re: How to do authentication in different way for different
action classes


You should keep *.do for your servlet mapping.

Assuming you are using container-managed security, you can do something like
this for your security constraints:

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>Secured Resources</web-resource-name>
         <url-pattern>*.do</url-pattern>
      </web-resource-collection>
      <auth-constraint>
         <role-name>strutsuser</role-name>
      </auth-constraint>
   </security-constraint>

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>Public Resources</web-resource-name>
         <url-pattern>/welcome.do</url-pattern>
      </web-resource-collection>
   </security-constraint>

The servlet spec requires that "exact" patterns like /welcome.do should be
matched before "extension" patterns like *.do. So, requests for /welcome.do
will match the security constraint that doesn't have any role requirements,
rather than the one that does.

-Max

----- Original Message -----
From: "Rajendra Kadam" <rakadam@cisco.com>
To: "Struts-User" <struts-user@jakarta.apache.org>
Sent: Thursday, April 03, 2003 4:23 PM
Subject: How to do authentication in different way for different action
classes


> Hi,
>
> In our application,
>
> I don't want to do authentication to first action class ( welcome.do )
> But at the same time, I want to do authetication for all other action
> classes.
>
> Initally my web.xml was looking like this
>
>   <servlet>
>     <servlet-name>action</servlet-name>
>
> <servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
>     ......
>   </servlet>
>
>   <servlet-mapping>
>    <servlet-name>action</servlet-name>
>    <url-pattern>*.do</url-pattern>
>   </servlet-mapping>
>
> But the disadvantage of doing this way, is that Authentication Dialog
> box comes up for welcome.do also. Which I don't want.
>
> Hence right now I'm putting all action classes for which authentication
> is required into url-pattern as shown below :
>
>   <servlet-mapping>
>    <servlet-name>action</servlet-name>
>    <url-pattern>/abc.do</url-pattern>
>    <url-pattern>/xya.do</url-pattern>
>    <url-pattern>/sdabc.do</url-pattern>
>           ......
>   </servlet-mapping>
>
> Since I had not mentioned, welcome.do in above place, it doesn't do
> authentication for it.
>
> Dis-advantage of doing this is everytime I added new Action class, I
> have to make the entry into this url-pattern.
>
> Is there any better way of doing this ?
>
> TIA,
> raju
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message