Return-Path: Delivered-To: apmail-struts-user-archive@www.apache.org Received: (qmail 24169 invoked from network); 19 Feb 2008 20:16:27 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 19 Feb 2008 20:16:27 -0000 Received: (qmail 59995 invoked by uid 500); 19 Feb 2008 20:16:12 -0000 Delivered-To: apmail-struts-user-archive@struts.apache.org Received: (qmail 59971 invoked by uid 500); 19 Feb 2008 20:16:11 -0000 Mailing-List: contact user-help@struts.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list user@struts.apache.org Received: (qmail 59960 invoked by uid 99); 19 Feb 2008 20:16:11 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Feb 2008 12:16:11 -0800 X-ASF-Spam-Status: No, hits=4.2 required=10.0 tests=FORGED_MUA_OUTLOOK,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of mgainty@hotmail.com designates 65.54.246.145 as permitted sender) Received: from [65.54.246.145] (HELO bay0-omc2-s9.bay0.hotmail.com) (65.54.246.145) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Feb 2008 20:15:36 +0000 Received: from hotmail.com ([10.4.30.21]) by bay0-omc2-s9.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 19 Feb 2008 12:14:44 -0800 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 19 Feb 2008 12:14:44 -0800 Message-ID: Received: from 76.119.179.89 by BLU136-DAV11.phx.gbl with DAV; Tue, 19 Feb 2008 20:14:38 +0000 X-Originating-IP: [76.119.179.89] X-Originating-Email: [mgainty@hotmail.com] X-Sender: mgainty@hotmail.com From: "Martin Gainty" To: "Struts Users Mailing List" References: <47BB0E0F.9030305@toltech.net> Subject: Re: Struts 2 Container Security problem Date: Tue, 19 Feb 2008 15:08:41 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-OriginalArrivalTime: 19 Feb 2008 20:14:44.0432 (UTC) FILETIME=[11363D00:01C87334] X-Virus-Checked: Checked by ClamAV on apache.org start here http://www.acegisecurity.org/guide/springsecurity.html M- ----- Original Message ----- From: "Kelly Graus" To: Sent: Tuesday, February 19, 2008 12:12 PM Subject: Struts 2 Container Security problem > Hi Everyone, > > I'm attempting to secure my first Struts 2 web app using container > security with a DataSourceRealm. I'm using Tomcat 6 as my container. > Here is how my project is setup: > > LicensingAdministration/ > META-INF/ > context.xml > WEB-INF/ > web.xml > classes/ > struts.xml > protected/ > *JSP pages* > login.jsp > error.jsp > > Without using struts, this works perfectly. Any attempt to access > anything under the protected area results in a redirect to the login > page, and from there all of the database stuff works fine. However, > when I added in struts, I am now able to bypass the security by > specifying an action directly. > > For example, navigating to > http://localhost:8080/LicensingAdministration/CreateProduct.action will > bypass the login page and go directly to the CreateProduct action. > However, navigating to > http://localhost:8080/LicensingAdministration/protected/CreateProduct.action > will perform a redirect to the login (as expected). > > Any suggestions on how to secure the actions so that the login cannot be > bypassed would be greatly appreciated! Below are the relevant parts of > my web.xml and context.xml files (I can post the full files if > necessary, but they contain a lot of resource definitions that aren't > related to the problem). > > Also, in an slightly unrelated question, is is possible to use struts > tags in the login page? I was trying to use an s:url tag to specify the > location of the css. When redirected to the login page, the server > threw an exception and I got an error message stating the the Struts > dispatcher cannot be found. > > Thanks! > > Kelly > > [web.xml] > > struts2 > > org.apache.struts2.dispatcher.FilterDispatcher > > > > struts2 > /* > > > [snip] > > > jdbc/UsersDS > javax.sql.DataSource > > > > > name > > Protected Area > /protected/* > > > licensing-admin > > > > FORM > Licensing Administration > > /login.jsp > /error.jsp > > > > licensing-admin > > > > protected/administer.jsp > > [/web.xml] > > [context.xml] > type="javax.sql.DataSource" > username="username" > password="password" > driverClassName="com.mysql.jdbc.Driver" > url="jdbc:mysql://localhost:3306/users"/> > > > dataSourceName="jdbc/UsersDS" localDataSource="true" > userTable="users" userNameCol="user_name" userCredCol="user_pass" > userRoleTable="user_roles" roleNameCol="role_name"/> > [/context.xml] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org > For additional commands, e-mail: user-help@struts.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@struts.apache.org For additional commands, e-mail: user-help@struts.apache.org