5 Replies Latest reply on Jan 17, 2005 9:33 AM by potdl

    Struts security setup!! please help

      Hi all,

      I have a problem with my struts config...

      I`ve setup all the login pages and action classes, configured the Login as Form based and all the rest. but here is the problem

      If leave out my security constraint settings out of my web.xml file:

       <security-constraint>
       <web-resource-collection>
       <web-resource-name>action</web-resource-name>
       <description>Declarative security tests</description>
       <url-pattern>*.do</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
      <!-- <http-method>HEAD</http-method>
       <http-method>PUT</http-method>
       <http-method>DELETE</http-method> -->
       </web-resource-collection>
       <!-- the role which can access these resources -->
       <auth-constraint>
       <role-name>Echo</role-name>
       <role-name>duke</role-name>
       <role-name>Java</role-name>
       </auth-constraint>
      
       <user-data-constraint>
       <description>no description</description>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
      
       </security-constraint>
      
       <login-config>
       <auth-method>FORM</auth-method>
       <form-login-config>
       <form-login-page>/Login.jsp</form-login-page>
       <form-error-page>/Login_error.jsp</form-error-page>
       </form-login-config>
       </login-config>
      
      


      My web app runs and i can go to the Login.jsp page through url and type in the username and password, and get full authentication and get forwarded to the welcome page. Perfect.

      but as soon as i enable the above listed code, i automatically get reruited to the Login page ( which is perfect) but as soon as i enter the user name and password and press login(submit), i go back to the login page, i dont even reach my action class.

      here is the login jsp :

      
      <%@ page contentType="text/html; charset=UTF-8" %>
      <%@ page language="java" %>
      <html >
       <HEAD>
       <TITLE></TITLE>
       <!-- To prevent caching -->
       <%
       response.setHeader("Cache-Control","no-cache"); // HTTP 1.1
       response.setHeader("Pragma","no-cache"); // HTTP 1.0
       response.setDateHeader ("Expires", -1); // Prevents caching at the proxy server
       %>
       <SCRIPT type="Javascript">
       function submitForm() {
       var frm = document. logonForm;
      
       // Check if all the required fields have been entered by the user before
       // submitting the form
       if( frm.j_username.value == "" ) {
       alert("Please fill in username");
       frm.j_username.focus();
       return ;
       }
      
       if( frm.j_password.value == "" ) {
       alert("Please fill in password");
       frm.j_password.focus();
       return ;
       }
      
       frm.submit();
       }
       </SCRIPT>
       </HEAD>
       <BODY>
       <h2>Please enter login details</h2>
       <FORM name="logonForm" action="LogonAction.do" method="POST">
       <TABLE width="100%" border="0" cellspacing="0" cellpadding=
       "1" bgcolor="white">
       <TABLE width="100%" border="0" cellspacing=
       "0" cellpadding="5">
       <TR align="center">
       <TD align="right" class="Prompt"></TD>
       <TD align="left">
       Username : <INPUT type="text" name="j_username" maxlength=20>
       </TD>
       </TR>
       <TR align="center">
       <TD align="right" class="Prompt"> </TD>
       <TD align="left">
       Password : <INPUT type="password"
       name="j_password" maxlength=20 >
       <BR>
       <TR align="center">
       <TD align="right" class="Prompt"> </TD>
       <TD align="left">
       <input type="submit" value="Login">
       </TD>
       </TR>
       </TABLE>
       </FORM>
       </BODY>
      </html>
      
      
      .

      I think the problem is that my security constaint is set to reruite everything that ends with *.do and authenticate it, so when i press submit in the login page, it reroutes me back to the login page, because i`m not authenticated??

      Please if anyone can help. i`m rather stuck and this is the first time i`m doing authentication,

      Thanks
      Derick

        • 1. Re: Struts security setup!! please help
          shady

          Derick

          What action is executed when authentication fails? I return "error" from my action when it fails. In my struts-config.xml I send this forward back to the login.jsp.

          I am experiecing a different problem thereafter. I authenticate ok and am directed to the welcome page. No if I click on a page that is not protected I lose teh Subject. If I now click on a protected page I am asked to log on again. I expected the Subject to be present for teh duration of teh session, NOT teh request. Has anybody encountered this problem before. Is this expected behaiour? (I am sure the servlet spec would disagree)

          • 2. Re: Struts security setup!! please help

            I use Struts in my applications, but I just use the standard J2EE stuff for authentication. I use form based authentication, and my login.jsp submits to j_security_check. I don't use anything struts related for authentication. Anything I define as being secure in my web.xml is handled automatically.

            • 3. Re: Struts security setup!! please help

              Thanks, but if i make the action command in the JSP "j_security_check", where in my login-config.xml should i then change the modules to look for the usernames in my database, is it the clientloginmodule?? or how does j_security_check actually know??

              Thanks
              Derick

              • 4. Re: Struts security setup!! please help

                You need to define a block in your login-config.xml that uses the DatabaseServerLoginModule. Then, make sure you add a reference to whatever realm you defined in your jboss-web.xml file for the webapp. If you are using the bundled tomcat, and not a standalone one, then it should work.

                The configuration of the DatabaseServerLoginModule will include the queries to lookup users/roles in your database.

                Check the wiki's or admin docs for specifics on how to configure it.

                • 5. Re: Struts security setup!! please help

                  Thanks guys,

                  But i`m feeling a bit stupid now, it was the bug in Jboss 4.0.0 That coused the problem. I`ve installed the new Jboss RC1 and it is working like a charm.

                  Thanks
                  Derick