struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Gainty" <mgai...@hotmail.com>
Subject Re: Struts 2 Container Security problem
Date Tue, 19 Feb 2008 20:08:41 GMT
start here
http://www.acegisecurity.org/guide/springsecurity.html

M-
----- Original Message -----
From: "Kelly Graus" <kelly.graus@toltech.net>
To: <user@struts.apache.org>
Sent: Tuesday, February 19, 2008 12:12 PM
Subject: Struts 2 Container Security problem


> Hi Everyone,
>
> I'm attempting to secure my first Struts 2 web app using container
> security with a DataSourceRealm.  I'm using Tomcat 6 as my container.
> Here is how my project is setup:
>
> LicensingAdministration/
>     META-INF/
>        context.xml
>     WEB-INF/
>        web.xml
>        classes/
>           struts.xml
>     protected/
>        *JSP pages*
>     login.jsp
>     error.jsp
>
> Without using struts, this works perfectly.  Any attempt to access
> anything under the protected area results in a redirect to the login
> page, and from there all of the database stuff works fine.  However,
> when I added in struts, I am now able to bypass the security by
> specifying an action directly.
>
> For example, navigating to
> http://localhost:8080/LicensingAdministration/CreateProduct.action will
> bypass the login page and go directly to the CreateProduct action.
> However, navigating to
>
http://localhost:8080/LicensingAdministration/protected/CreateProduct.action
> will perform a redirect to the login (as expected).
>
> Any suggestions on how to secure the actions so that the login cannot be
> bypassed would be greatly appreciated!  Below are the relevant parts of
> my web.xml and context.xml files (I can post the full files if
> necessary, but they contain a lot of resource definitions that aren't
> related to the problem).
>
> Also, in an slightly unrelated question, is is possible to use struts
> tags in the login page?  I was trying to use an s:url tag to specify the
> location of the css.  When redirected to the login page, the server
> threw an exception and I got an error message stating the the Struts
> dispatcher cannot be found.
>
> Thanks!
>
> Kelly
>
> [web.xml]
> <filter>
>       <filter-name>struts2</filter-name>
>
>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
>   </filter>
>
>   <filter-mapping>
>     <filter-name>struts2</filter-name>
>     <url-pattern>/*</url-pattern>
>   </filter-mapping>
>
> [snip]
>
> <resource-env-ref>
>     <resource-env-ref-name>jdbc/UsersDS</resource-env-ref-name>
>     <resource-env-ref-type>javax.sql.DataSource</resource-env-ref-type>
>   </resource-env-ref>
>
>   <!-- Security Constraints -->
>   <security-constraint>
>     <display-name>name</display-name>
>     <web-resource-collection>
>       <web-resource-name>Protected Area</web-resource-name>
>       <url-pattern>/protected/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>licensing-admin</role-name>
>     </auth-constraint>
>   </security-constraint>
>   <login-config>
>     <auth-method>FORM</auth-method>
>     <realm-name>Licensing Administration</realm-name>
>     <form-login-config>
>       <form-login-page>/login.jsp</form-login-page>
>       <form-error-page>/error.jsp</form-error-page>
>     </form-login-config>
>   </login-config>
>   <security-role>
>     <role-name>licensing-admin</role-name>
>   </security-role>
>
>   <welcome-file-list>
>       <welcome-file>protected/administer.jsp</welcome-file>
>   </welcome-file-list>
> [/web.xml]
>
> [context.xml]
> <Resource name="jdbc/UsersDS" auth="Container"
>               type="javax.sql.DataSource"
>               username="username"
>               password="password"
>               driverClassName="com.mysql.jdbc.Driver"
>               url="jdbc:mysql://localhost:3306/users"/>
>
>     <!-- Security Realm -->
>       <Realm className="org.apache.catalina.realm.DataSourceRealm"
>            dataSourceName="jdbc/UsersDS" localDataSource="true"
>            userTable="users" userNameCol="user_name"
userCredCol="user_pass"
>            userRoleTable="user_roles" roleNameCol="role_name"/>
> [/context.xml]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message