Mete, With contained-managed security, you have to let the container process the login form submittal (j_security_check). There is no method you can call to process the login yourself. The container makes the info like the user name and if a user is in a particular role through methods on the request [getRemoteUser() & isUserInRole()]. I haven't played with sub-apps yet, but I imagine they run in the same context from the server's perspective, so container-managed security should work fine. If they don't run in the same context, you can probably still do what you want with container-based security and some additional setup.
One thing that you cannot do with container-managed security is direct the users to the login form page to force them to login. As an alternative, you can protect a page and send users there, so the container will send them through the login form. For instance, if your login form is /loginForm.do, you could make a page (even a redirect back to your home page if you want users to end up there) named /protected.do and then setup a security constraint for that page. Your Login link would be <a href="(contextPath)/protected.do">Login</a> with this setup. I think you can acheive your desired functionality with those techniques. If you need more info, I'll be happy to help out. Another alternative is to use a filter to mimic container-managed security [including wrapping the request with your implementations of getRemoteUser() and isUserInRole()]. This way, you could provide a programmatic interface to log users in with an Action, but the value of providing the interface is not clear to me. I think you can acheive your desired functionality without it, and end up with less coupling between your app and the authentication mechanism. -Max ----- Original Message ----- From: "Eddie Bush" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Wednesday, July 17, 2002 6:59 PM Subject: Re: Struts/Container-Managed Authentication Question > I'd recommend putting it to the Tomcat guys, but I'm just about positive > you'd have to use j_security_check (ie FORM-based authentication). > > Mete Kural wrote: > > >Hi, > > > >My Struts-based webapp has two sub-apps. > > > >In the first sub-app, anybody can surf through without > >having to be logged in, but if you are logged in, some > >special features are enabled (ex: "Hello Mr. .."). > > > >In the second sub-app, you have to be logged in to > >access the pages therein. > > > >For the entirety of the second sub-app, obviously a > >security-constraint should be declared in web.xml. But > >the first sub-app is open to anybody, although login > >is encouraged (i.e. not required). For that reason, I > >can't put a security-constraint for the first sub-app > >in web.xml, but how am I going to authorize users who > >want to log in while they're in the first sub-app in a > >container-managed manner?? > > > >Basically what I want to do is to log a user in with > >the container from a LoginAction class, rather than > >the good-old "j_security" way. Maybe this one should > >be asked to the Tomcat group, but in case some of you > >may know, Is there a way to log a user in with the > >container through a method interface inside an Action > >class instead of dispatching the request to > >j_security_constraint? I couldn't find such a method > >interface in the Servlet 2.3 specs. > > > >I'll appreciate any insight on this. > > > >Thanks, > >Mete Kural -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
