Malcolm Davis wrote:
> This "Security" issue has always bothered me.
> The servlet API provides a Form Based Authentication via 'j_username' and '
> j_password'.
> Tomcat supports this feature, but I don't see it in Struts.
>
> Are there plans to support Form Based Authentication via 'j_username' and '
> j_password'
In what way do you feel that Struts should support this? It's completely
defined by the way you configure your web.xml file (and your server), and
Struts-based applications can take advantage of that fact with no code changes
at all being necessary. This is true on *any* servlet container that implements
2.2 or later, not just Tomcat.
One reasonable follow-up question is "why does the example application do its
own login processing?". And the answer is based on a longer discussion from
earlier today -- the interface between a servlet container and the underlying
database of users and roles is not portable, and I didn't want to have to
research how to set that up on every single server that Struts might be run on.
The whole idea of an example application is to be able to drop it in and run, as
a quick test to make sure that Struts works in your environment.
>
> Thans,
> Malcolm
Craig
