Hello Brian,
You don't need to write any special Action or Form classes to use JAAS with Struts.
The steps you need are:
1) Configure a login policy ('application-policy') in
<yourdomain>/conf/login-config.xml, and set up your users & roles appropriately (I
suggest using UsersRolesLoginModule initially, just to get it working - you will need
to include users.properties and roles.properties in WEB-INF/classes - see jmx-console
for an example);
2) Add a 'security-constraint' element to your web.xml - use this to define which URL
patterns you want to be secured by which user roles (check the DTD for details);
3) Add a 'login-config' element to web.xml. Use this to specify FORM as the
auth-method and use 'form-login-config' to specify the paths of your login & login
error JSPs;
4) Add 'security-role' elements to web.xml for each role referenced in step 2;
5) Create login & login error JSPs. Your login JSP must contain a form with
action="j_security_check", a text input field with name="j_username" and a password
input field with name="j_password". Your login error JSP doesn't need to contain
anything special.
That's it for the web tier. Now when a user tries to access a URL which matches a
pattern defined in step 2, they'll see the login JSP. When this is submitted, JAAS
will use the policy defined in step 1 to login the user and check that they have the
appropriate role required for the URL requested. If so, they'll then see the
appropriate protected page.
As for the EJB tier, I don't really know as I haven't used JAAS with EJBs (the only
access to my EJBs is through the web tier), but basically, I think it mainly involves
associating security roles with EJB methods via your deployment descriptor.
Hope this helps,
Al.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Brian Wallis
> Sent: 25 June 2003 01:11
> To: [EMAIL PROTECTED]
> Subject: [JBoss-user] j_security_check & JBoss/Jetty
>
>
>
> I'm running 3.0.7 JBoss with the default Jetty integration
> and am writing a
> struts based web app front end to an EJB application.
>
> I have been trying to find out how form based authentication
> works and have
> read a lot of articles and mail items from various lists and
> am confused
> about a couple of things.
>
> Do I have to provide an action class and a form class for the
> login form or
> does the web container handle this, ie: do I have to point
> j_security_check
> to an action that I write? If not, why do I keep getting
> "Cannot retrieve
> mapping for action /j_security_check" errors?
>
> Do I have to provide the form with the j_username and
> j_password fields for
> the login or does the web container handle this as well.
>
> I believe that I have to provide some code to pass the
> authentication details
> onto an EJB container when I call into a bean. I'm not sure
> what this code
> is. Any examples? I thought I saw one once during my
> searching but cannot
> find it again.
>
> thanks,
>
> brian wallis...
>
>
>
>
-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
