struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Caroline Jen <jiapei_...@yahoo.com>
Subject Re: How To Work Out This Action Mapping?
Date Sat, 11 Oct 2003 05:49:38 GMT
To answer your questions:

1. The LOGON button links to a forward: 
   <html:link forward="logon">LOGON</html:link>
 
   and in my struts-config.xml, I have 

     <forward
        name="logon"
        path="/do/admin/Menu"/>

2. the <security-constraint> in my web-xml is:

  <security-constraint>
    <web-resource-collection>
     
<web-resource-name>Administrative</web-resource-name>
        <!-- The URLs to protect -->
        <url-pattern>/do/admin/*</url-pattern>
    </web-resource-collection>
      <auth-constraint>
        <!-- The authorized users -->
        <role-name>administrator</role-name>
        <role-name>contributor</role-name>
      </auth-constraint>
  </security-constraint>

By the way, there is another problem -- after the
insertion of the <security-constraint>, the
application totally stops functioning.  No welcome
page displayed.  In the browser, I have

HTTP Status 404 -/PracticeVersion
description: The requested resource(/PracticeVersion)
is not availabe.

and in the Tomcat log file, I have:

LifecycleException: Container
StandardContext[/PracticeVersion] has not been started
  
Thereafter, I deleted the <security-constraint>
element from the web.xml file.  I have the welcome
page displayed.  After I click on the LOGON button in
the welcome page, the welcome page remains in the
browser.  The logon.jsp, which collects j-username,
j_password, does not get displayed and
http://localhost:8080/PracticeVersion/do/admin/Menu
shows in the address bar.

--Caroline

--- "Craig R. McClanahan" <craigmcc@apache.org> wrote:
> Caroline Jen wrote:
> 
> >Thank you very much for the detailed explanation. 
> >Yet, I still have hard time to make my application
> >work -- I am "able" to display the welcome page (no
> >problem). And I have
>
>http://localhost:8080/PracticeVersion/do/Menu;jsessionid=0A6E76A8F3E849BC8DAAC45BFB72F72E
> >in the address bar.
> >
> >However, after I click on the LOGON button in the
> >welcome page, the welcome page
> >
> Where does this LOGON button submit to?  If it
> submits to 
> "j_security_check", you are doing this wrong.  It
> should submit to some 
> resource that is protected by a security constraint.
> 
> > remains in the browser.
> > The logon.jsp, which collects j-username,
> j_passwor,
> >does not get displayed and
> >http://localhost:8080/PracticeVersion/do/admin/Menu
> >shows in the address bar.
> >
> >I do not know what went wrong.  Could it be that
> the
> >JDBCRealm is not configured correctly?
> >
> >Because the LOGON button links to a forward: 
> ><html:link forward="logon">LOGON</html:link>
> > 
> >and in my struts-config.xml, I have 
> >
> >     <forward
> >        name="logon"
> >        path="/do/admin/Menu"/>
> >
> >The /do/admin/Menu is my protected resources.  I
> keep
> >it unchanged.
> >  
> >
> It's only protected if it's listed in a
> <security-constraint> in web.xml.
> 
> >1. I configured the Tomcat JDBCRealm and prepared
> the
> >users table, user-roles table according the
> >instructions found at
>
>http://jakarta.apache.org/tomcat/tomcat-4.1-doc/realm-howto.html
> >  
> >
> Which Realm you use does not make any difference.
> 
> >2. Because I want to use FORM based container
> managed
> >authentication, I inserted 
> >
> ><login-config>
> > <auth-method>FORM</auth-method> 
> >  <form-login-config> 
> >  
>
><form-login-page>/signin/logon.jsp</form-login-page>
>  
> >  
>
><form-error-page>/signin/logon.jsp?error=true</form-error-page>
> >  </form-login-config>                  
> ></login-config>
> >
> >in the web.xml file.
> >  
> >
> What does your <security-constraint> in web.xml look
> like?  This is the 
> critical ingredient.
> 
> >3. I put logon.jsp in the ApplicationRoot/signin
> >folder.  Here is the code of the logon.jsp (I took
> out
> >all the Struts tags) and I know the code works well
> >because I have tested it:
> >
> ><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
> >Transitional//EN">
> ><HTML>
> ><HEAD>
> ><TITLE>Container Managed Authentication</TITLE>
> ></HEAD>
> ><BODY>
> ><H1>Sign in, Please</H1>
> ><HR>
> ><FORM action="j_security_check" method="post"
> >focus="j_username">
> ><TABLE border="0" width="50%" cellspacing=3
> >cellpadding=2>
> ><TR>
> ><TH align="right">User Name:</TH>
> ><TD align="left"><INPUT TYPE=text NAME="j_username"
> >SIZE="25"/></TD>
> ></TR>
> ><TR>
> ><TH align="right">Password:</TH>
> ><TD align="left"><INPUT TYPE=password
> >NAME="j_password" SIZE="10"/></TD>
> ></TR>
> ><TR>
> ><TD align="right"><INPUT TYPE=submit
> >VALUE="Submit"></TD>
> ><TD align="left"><INPUT TYPE=reset
> VALUE="Reset"></TD>
> ></TR>
> ></TABLE>
> ></FORM>
> ></BODY>  
> >
> >--Caroline
> >
> Craig
> 
> >--- "Craig R. McClanahan" <craigmcc@apache.org>
> wrote:
> >  
> >
> >>Caroline Jen wrote:
> >>
> >>    
> >>
> >>>Thank you for your reply.  I am using container
> >>>managed authentication.
> >>>
> >>>My problem is "how to go from j_security_check
> back
> >>>      
> >>>
> >>to
> >>    
> >>
> >>>my Struts framework."
> >>> 
> >>>
> >>>      
> >>>
> >>That turns out to not be your problem ... that is
> >>the container's problem.
> >>
> >>The key thing to remember is that the user should
> >>never access your 
> >>login page (whatever it's URL is) directly. 
> >>Instead, form-based login 
> >>is triggered the first time that an
> unauthenticated
> >>user requests a URL 
> >>that is protected by a security constraint.  What
> >>happens next goes like 
> >>this:
> >>
> >>(1) Unauthenticated user requests a protected
> >>resource (*NOT* the login 
> >>page!)
> >>
> >>(2) Container remembers the protected resource
> that
> >>was requested
> >>     in a private variable.
> >>
> >>(3) Container displays the login page, which must
> >>have a destination
> >>     of "j_security_check", and waits for the user
> >>submit.  For some 
> >>containers,
> >>     including Tomcat, this is the one-and-only
> time
> >>that submitting to
> >>     "j_security_check" will not return a 404.
> >>
> >>(4) User enters username and password, and presses
> >>the submit button.
> >>
> >>(5) Container authenticates the username and
> >>password combination.
> >>     If valid, container recalls the resource
> saved
> >>in (2) and displays 
> >>*that*
> >>     to the user in response to the login submit.
> >>
> >>If this doesn't make sense, temporarily switch
> your
> >>app to use BASIC 
> >>authentication instead, and walk through the
> >>process.  The user 
> >>experience will be identical except that the
> "login
> >>page" will be a 
> >>popup dialog box instead of your configured login
> >>page.  (Technically, 
> >>it's different in one other respect -- it's the
> >>*browser* that does the 
> >>remembering in step (2) and the restoring in step
> >>(5), but the user 
> 
=== message truncated ===



__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message