I'm not familiar with xpetstore, so I didn't say anything when I read that you had container-managed security and a sign-on filter redirecting unauthenticated users. Basically you have made the sign-on filter redundant by implementing container-managed security.
However that's not to say that the sign-on filter doesn't do other stuff as well - I don't know. One thing for instance could be that it puts user information into the session so you don't need to repeatedly fetch the info with each request.
The filter won't be by-passed - it's not affected by the app you're running, only by tomcat 'filtering' on the URL and passing it the requests it's been configured to see in the web.xml.
Adam
On 03/25/2004 10:35 PM Martin Alley wrote:
Hi Adam,
I modified the filter from xpetstore when I introduced container based security. It should now redirect the user to the signonAction to synchronise container based auth with session based (legacy) record of the logged in user. Thinking about it there could be some problems in there, but in the session timeout scenario, the SignonFilter doesn't get hit straight away (unlike the non-timeout scenario).
I guess the order of play is: Container based security Filter ActionServlet
Can't work out why the filter would appear to be bypassed.
Any ideas?
Thanks for helping. Martin
-----Original Message-----
From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 25 March 2004 21:18
To: Struts Users Mailing List
Subject: Re: form based auth and session timeout and post data
That's one mean filter.
It's not part of struts but judging merely from its name, it's obviously
built into the app security. What does xpetstore say it's meant to do? Have you checked the filter's javadoc?
Adam
On 03/25/2004 10:07 PM Martin Alley wrote:
Hi,
I've got a struts based app using form based authentication (started
out
as xpetstore).
I have a situation where if I'm on a web form protected by role based security, and the session times out, and then I submit the form, I get to the login page, login, but then the original form data is lost.
According to the log data, it's looking for an ActionForm of a
different
name according to whether the session has timed out or not!!!
I thought this stuff was statically configured.
When there is no time out, the log looks like this:
2004-03-25 19:40:19,350 INFO [xpetstore.web.filter.SignOnFilter] doFilter()
2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] user=bug1b
2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] isSignedIn=true
2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] uri=/MotoringMemorabilia/updateCustomer.jspa
2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] _login=/login.jspa
2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils]
Get
module name for path /updateCustomer.jspa
2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] Module name found: default
2004-03-25 19:40:19,350 DEBUG [org.apache.struts.action.RequestProcessor] Processing a 'POST' for
path
'/updateCustomer'
2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] Looking for ActionForm bean instance in scope 'request' under
attribute
key 'existingCustomerForm'
2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] Creating new ActionForm instance of type 'xpetstore.web.struts.action.customer.ExistingCustomerForm'
2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils]
-->
[EMAIL PROTECTED]
2004-03-25 19:40:19,350 DEBUG [org.apache.struts.action.RequestProcessor] Storing ActionForm bean instance in scope 'request' under attribute key 'existingCustomerForm'
2004-03-25 19:40:19,350 DEBUG [org.apache.struts.action.RequestProcessor] Populating bean
properties
from this request
2004-03-25 19:40:19,360 DEBUG [org.apache.struts.action.RequestProcessor] Validating input form properties
2004-03-25 19:40:19,370 DEBUG [org.apache.struts.action.RequestProcessor] No errors detected, accepting input
2004-03-25 19:40:19,370 DEBUG [org.apache.struts.action.RequestProcessor] Looking for Action
instance
for class xpetstore.web.struts.action.customer.UpdateCustomerAction
2004-03-25 19:40:19,370 DEBUG [org.apache.struts.action.RequestProcessor] Creating new Action instance
2004-03-25 19:40:19,370 INFO [xpetstore.web.struts.action.customer.UpdateCustomerAction] execute()
When there is a timeout the log goes like this:
2004-03-25 20:10:56,908 DEBUG [org.apache.struts.util.RequestUtils] Looking for ActionForm bean instance in scope 'request' under
attribute
key 'newCustomerForm'
2004-03-25 20:10:56,908 DEBUG [org.apache.struts.util.RequestUtils] Creating new ActionForm instance of type 'xpetstore.web.struts.action.customer.NewCustomerForm'
2004-03-25 20:10:56,908 DEBUG [org.apache.struts.util.RequestUtils]
-->
[EMAIL PROTECTED]
2004-03-25 20:10:56,918 DEBUG [org.apache.struts.util.RequestUtils]
Get
module name for path /index.jsp
2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Module name found: default
2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils]
Get
module name for path /cart.jspa
2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Module name found: default
2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils]
Get
module name for path /signon.jspa
2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Module name found: default
2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils]
Get
module name for path /search.jspa
2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Module name found: default
2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Looking for ActionForm bean instance in scope 'request' under
attribute
key 'searchForm'
2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Creating new ActionForm instance of type 'xpetstore.web.struts.action.product.SearchForm'
2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils]
-->
[EMAIL PROTECTED]
2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils]
Get
module name for path /index.jsp
2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Module name found: default
2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils]
Get
module name for path /category.jspa?categoryId=SIGNS
The relevant action configuration looks like this:
<action
path="/updateCustomer"
type="xpetstore.web.struts.action.customer.UpdateCustomerAction"
name="existingCustomerForm"
scope="request"
input="/myaccount.jsp"
unknown="false"
validate="true"
>
<set-property
property="secure"
value="true"
/>
<forward
name="success"
path="/index.jsp"
redirect="false"
/>
<forward
name="error"
path="/myaccount.jsp"
redirect="false"
/>
The form that is posted is declared in html like this:
<form name="existingCustomerForm" method="post" action="/MotoringMemorabilia/updateCustomer.jspa">
I need to understand the interplay between container (form) based authentication, filters and struts actionservlet.
Can anyone shed some light?
Thanks
Martin
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]