Perhaps his login & logout are the same action both forwarding to the login screen, and if already logged in, logging out along the way?
-----Original Message----- From: Cliff Rowley [mailto:[EMAIL PROTECTED]] Sent: Monday, September 23, 2002 18:54 To: 'Struts Users Mailing List' Subject: RE: How can I make my logout page not secure? Out of pure interest, why do you want logout unprotected? People who are logged out wont need to log out, will they? >-----Original Message----- >From: Michael [mailto:[EMAIL PROTECTED]] >Sent: 23 September 2002 09:40 >To: [EMAIL PROTECTED] >Subject: How can I make my logout page not secure? > > >I'm using J2EE container managed security (in Tomcat). I set >up a rule to protect all *.do actions. The problem is my >logout.do is protected as well! > >In my web.xml I have: > > <security-constraint> > <web-resource-collection> > <web-resource-name>All DO</web-resource-name> > <url-pattern>*.do</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>*</role-name> > </auth-constraint> > </security-constraint> > >And then I use struts to set the security roles for each >action. Although my logout action doesn't have any security >roles, the above config in the web.xml requires a user to be >authenticated before executing an action. > >What can I do to unprotect my logout action? > > > >-- >To unsubscribe, e-mail: ><mailto:struts-user->[EMAIL PROTECTED]> >For >additional commands, >e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
