Wouldn't it be nice if the servlet spec supported this natively? It seems like one of the largest oversites that should have been dealt with in 2.4. But, oh well. I use securityfilter and it works excellent for my needs.
Brandon Goodin -----Original Message----- From: Max Cooper [mailto:[EMAIL PROTECTED] Sent: Friday, June 06, 2003 4:44 PM To: Struts Users Mailing List Subject: Re: CMA and LoginAction CMA does just-in-time authentication. You will only be authenticated on the way to viewing a protected resource. After your authentication succeeds, you will end up at the protected resource that you originally requested. This is very nice because logging in doesn't take the user off the course of what they were trying to achieve. But, it also means that you can't have users login at will, or issue an "unsolicited" login request by randomly posting to j_security_check. Actually, you can support this a bit by having the "Login" link take you to a protected resource, which will force the CMA to do the authentication routine along the way. Your protected resource might just redirect you back to the home page or something if that is what you want. You can't have a login form on every page, though, because the container won't know where to send them after they are logged in. This limitation also creates problems if users bookmark the login form page. This is one of the reasons I started the Security Filter project. It allows "unsolicited" login requests, and you can configure where users should be sent if they issue an "unsolicited" login request. It also supports just-in-time authentication like CMA, which is how it will work if Security Filter initates the authentication sequence in response to a request for a protected resource. http://securityfilter.sourceforge.net/ -Max looking for lots of securityfilter hits today ;-) ----- Original Message ----- From: "Bailey, Shane C." <[EMAIL PROTECTED]> To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]> Sent: Friday, June 06, 2003 7:28 AM Subject: RE: CMA and LoginAction > > This makes me think of another question. I have put implementing my CMA on > hold but I will need to know this soon: > > If you specify where to go prior to the CMA j_security_check call (by > describing the login form in the web.xml) why don't you have to describe the > "success" page (most likely an action) to go to as well? So where does a > successful CMA auth take you? > > I am guessing it goes to the welcome page also described in the web.xml? > > Anyway, if that is the case can you have your welcome page be > "userInitialize.do" ??? That would work right? > > > BTW, we started using Objectivity and JRun has LoginModules provided for > LDAP,Relational and XML storage and not oodb. I tried to write a custom > LoginModule (not really a problem) and a customer User manager class and it > hasn't worked. Anyone successful in such things? > > > > -----Original Message----- > From: Mohan Radhakrishnan [mailto:[EMAIL PROTECTED] > Sent: Friday, June 06, 2003 10:15 AM > To: 'Struts Users Mailing List' > Subject: CMA and LoginAction > > Hi > > I would like to use role based authentication. That is CMA. Now I > also want to call my Action class. The idea is to use > > <logic:present role="name"/> > > My Action class sets up user profiles based on the login ID etc. Is this > possible ? > > Mohan > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
