On Wed, 30 Oct 2002, [utf-8] Etienne Labonté wrote:
> Date: Wed, 30 Oct 2002 10:35:45 -0500 > From: "[utf-8] Etienne Labonté" <[EMAIL PROTECTED]> > Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]> > To: "Struts Users Mailing List (E-mail)" <[EMAIL PROTECTED]> > Subject: Form-Based Authentication and Struts > > Hi, > > Is there any relation to be made between Tomcat Form-Based Authentication > and Struts? They can be used together, but there is no direct relationship other than the ability to specify a "roles" attribute on an <action> element, to limit the users that can execute a particular Action to those with one of the listed roles. > The Tomcat admin webapp seems to be based on Struts and uses > Form-Based Authentication. That is correct. It uses the standard container-managed security facilities provided by Tomcat (or any other servlet container). > But it looks like it is not using Struts to > handle the login form. On the other hand, the Struts-example webapp uses > Struts for this task and has nothing about security defined in its web.xml > The reason for that is that most people, when the originally download Struts, need a test app to see if everything works correctly. If we used container-managed security in the test app, we'd have to document how to set up an appropriate user for every possible servlet container (and there are quite a lot of them, each with their own procedures for this). In retrospect, I sort of wish I hadn't illustrated application-managed security like this, because I generally recommend that people use container managed security for their webapps. But, lots of people still prefer to roll their own, so at least they've got a reasonable example of that as well ... > Etienne Labonté Craig -- To unsubscribe, e-mail: <mailto:struts-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:struts-user-help@;jakarta.apache.org>
