struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pblatner <>
Subject Re: Struts 2 Container Security problem
Date Mon, 16 Mar 2009 21:05:06 GMT

I have tried to do the exact thing that Jeromy suggests below with 2
packages.  And then in the web.xml specify a security constraint with the
URL pattern "/protected/*".  After doing so, I am not getting the result
that I think I should be.

When issuing a request for my action at
"http://localhost/MyApp/protected/HomeAction", the container is not
intercepting and challenging me with my logon.html page.

Anyone know why this isn't working?  

The struts 2 servlet-filter pattern is "/*".  It seems pretty obvious that
the struts 2 servlet filter is responding to the first part of the URL:
"http://localhost/MyApp/*" and the container isn't seeing that as a secured

Am I missing a configuration pattern somewhere that tells the container to
inspect the full URL before allowing the servlet filter to process it?

My deployment environment is WebSphere 6.1.  Are there any incompatibilities
between WebSphere 6.1 and struts 2 that could be causing this?


Jeromy Evans - Blue Sky Minds wrote:
> In struts.xml, the namespace given to your package needs be in 
> /protected as well.
> eg. <package name="myPackage" namespace="/protected">
> Otherwise, as you've seen, it's available in the root of the 
> application's context path.
> I usually split my struts2 application into at least two packages:
> <package name="public" namespace="/"> ...
> <package name="secure" namespace="/protected">

View this message in context:
Sent from the Struts - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message