struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David G. Friedman" <hum...@ix.netcom.com>
Subject RE: Application Security
Date Tue, 08 Feb 2005 17:07:16 GMT
Tim,

Have you also updated your web.xml and Tomcat conifgurations?

-----Original Message-----
From: Tim Christopher [mailto:tim.christopher@gmail.com]
Sent: Tuesday, February 08, 2005 12:05 PM
To: Struts Users Mailing List
Subject: Re: Application Security


Cheers for all your advice.

I've just tried implementing the JDBCRealm, though unfortunaltly it
does not work.  The Log4j error file contains the following:

http-80-Processor25 ERROR org.apache.catalina.realm.JAASRealm
JAASRealm.java:269 Unexpected error
java.lang.SecurityException: Unable to locate a login configuration
     at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:97)
     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
     <snip/>

To be honest, I'm not really sure what that means...  All I've done so
far is copy a simple example and I've got that error.  Do I need to
add anything to the classpath?

I can post the code I'm using if anything thinks that will help....

On Tue, 8 Feb 2005 03:06:51 -0000, Niall Pemberton
<niall.pemberton@blueyonder.co.uk> wrote:
> The forms for container managed security don't have to be plain html - you
> can configure in the web.xml custom "Logon"  and "Logon Error" pages which
> can be jsps, not just plain html. I have a custom tag on each of these
pages
> which writes the fact that a user has arrived at that page to log4j along
> with details from the request (e.g. IP address). Log4j is pretty powerful
in
> how you can configure it to filter that info and where to send it to.
>
> There are tags in the Jakarta Taglibs which you could use to achieve the
> same thing...
>    http://jakarta.apache.org/taglibs/doc/log-doc/intro.html
>    http://jakarta.apache.org/taglibs/doc/request-doc/intro.html
>
> For example on your "Logon Error Page", you might have something like
> this...
>
> <req:request id="req"/>
> <log:error category="myapp.logon.failed">
>      <bean:write name="req" property="remoteAddr"/>
>      <bean:write name="req" property="remoteHost"/>
> </log:error>
>
> Once a user has "logged on", you can get the user name from from the
request
> and then look up the user details wherever they are stored...
>      request.getUserPrincipal().getName()
>
> The actual form elements required are, as you say, plain html - but is
there
> any need for special tags since the action your posting to is fixed?
>
> Niall
>
> ----- Original Message -----
> From: "Tim Christopher" <tim.christopher@gmail.com>
> Sent: Tuesday, February 08, 2005 2:08 AM
>
> > I've recently discovered that it is not possible to map an action to
> > j_security_check.  Given this situation how is it possible to populate
> > a form bean with user data, or create a log of any failed login
> > attempts (bad username / password) if the container takes control of
> > the entire login process?
> >
> > Looking back at previous posts to the newsgroup I can see that in the
> > past people have just used plain html to produce the j_security_check
> > form.  Is it possible to do this using the <sslext:form> tag, but so
> > that it does not require a Struts action mapping for j_security_check
> > to be present?
> >
> > I was currently intending on using JDBCRealm and the security-filter
> > to control the site's security, though given the above problems I'm
> > starting to think there might be a better way?  Or are these problems
> > everyone has already solved, as surely some form of login system is
> > present in the vast majority of Struts applications.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message