After a hard day of work I have solved this...see my documentation below.
-Michelle
J2EE Container Authentication and Struts
Overview
There was a need to provide a custom handler of the user authentication
information (userid, password) prior to container authentication. This
includes changing the values of the users password prior to authentication.
The Problem
In this particular case it was a new requirement that the users password
would be stored in an encrypted format, which meant that the password would
have to be encrypted before sending to the container for authentication.
Original State
A Struts application with J2EE Container Authentication was previously
developed and working. This involved the use of form-based login where the
jsp contained the j_security_check form which submitted the necessary
authication parameters (j_username, j_password). The issue with this is
that because the jsp was posting the page directly to the container there
was no means to intervene and provide the necessary pre-processing. We
would need to capture the user entered password and encrypt it before
passing it on to the container for authentication.
Changes Required
2 New Classes were required
LoginForm.java - Struts Form, which would contain the attributes userid and
password and the corresponding getter/setter methods.
LoginAction.java - Struts Action class, which would provide the hook for the
developer to add custom logic prior to authentication as well as modifying
the values sent to the container. More details below.
1 JSP to be modified
Login.jsp - Remove the j_security_check from the form and set it up as a
standard Struts page (name the action and form parameters anything you
like).
Modify the Struts config to add the section for the Login Action and
Form(standard struts action)
Security related modifications - Ensure that the LoginAction is not secured
in the web.xml otherwise you will not be able to post your login page to
this action. Because I set my web.xml to constrain all *.do and *.jsp urls,
I added a new mapping to my action servlet and associated *.auth to it.
Then I modified the Login.jsp and instead of using /login.do I used
/login.auth.
In order to pass along the userid and the password to the container I needed
to setup a request dispatcher in the login action with the appropriate
parameters set (see example below) and forward the request on.
public ActionForward perform(
ActionMapping aMapping,
ActionForm aForm,
HttpServletRequest aRequest,
HttpServletResponse aResponse)
throws java.io.IOException, javax.servlet.ServletException {
LoginForm form = (LoginForm) aForm;
String request = "j_security_check?j_username=" +
URLEncoder.encode(form.getUserid()) + "&j_password=" +
URLEncoder.encode(form.getPassword());
RequestDispatcher rd = aRequest.getRequestDispatcher(request);
rd.forward(aRequest, aResponse);
return null;
}
Summary
It works great! I wished I had done it sooner.
-----Original Message-----
From: Michelle Popovits [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 30, 2002 10:01 AM
To: '[EMAIL PROTECTED]'
Subject: container managed security and login action?
Has anyone been able to capture login information in a struts action and
then send it on for j2ee container managed security.
I currently have a struts application that uses j2ee container managed
security.
New requirements state that the password is to be stored in encrypted form
which means I will need to take the users password and encrypt it before
sending on the the j2ee container for authentication.
Has anyone done this?
Can this be done?
Hints? Tips? Examples?
Thanks,
Michelle
--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
