Hi Adam, I modified the filter from xpetstore when I introduced container based security. It should now redirect the user to the signonAction to synchronise container based auth with session based (legacy) record of the logged in user. Thinking about it there could be some problems in there, but in the session timeout scenario, the SignonFilter doesn't get hit straight away (unlike the non-timeout scenario).
I guess the order of play is: Container based security Filter ActionServlet Can't work out why the filter would appear to be bypassed. Any ideas? Thanks for helping. Martin -----Original Message----- From: Adam Hardy [mailto:[EMAIL PROTECTED] Sent: 25 March 2004 21:18 To: Struts Users Mailing List Subject: Re: form based auth and session timeout and post data That's one mean filter. It's not part of struts but judging merely from its name, it's obviously built into the app security. What does xpetstore say it's meant to do? Have you checked the filter's javadoc? Adam On 03/25/2004 10:07 PM Martin Alley wrote: > Hi, > > > > I've got a struts based app using form based authentication (started out > as xpetstore). > > I have a situation where if I'm on a web form protected by role based > security, and the session times out, and then I submit the form, I get > to the login page, login, but then the original form data is lost. > > > > According to the log data, it's looking for an ActionForm of a different > name according to whether the session has timed out or not!!! > > I thought this stuff was statically configured. > > > > When there is no time out, the log looks like this: > > 2004-03-25 19:40:19,350 INFO [xpetstore.web.filter.SignOnFilter] > doFilter() > > 2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] > user=bug1b > > 2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] > isSignedIn=true > > 2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] > uri=/MotoringMemorabilia/updateCustomer.jspa > > 2004-03-25 19:40:19,350 DEBUG [xpetstore.web.filter.SignOnFilter] > _login=/login.jspa > > 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] Get > module name for path /updateCustomer.jspa > > 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] > Module name found: default > > 2004-03-25 19:40:19,350 DEBUG > [org.apache.struts.action.RequestProcessor] Processing a 'POST' for path > '/updateCustomer' > > 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] > Looking for ActionForm bean instance in scope 'request' under attribute > key 'existingCustomerForm' > > 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] > Creating new ActionForm instance of type > 'xpetstore.web.struts.action.customer.ExistingCustomerForm' > > 2004-03-25 19:40:19,350 DEBUG [org.apache.struts.util.RequestUtils] --> > [EMAIL PROTECTED] > > 2004-03-25 19:40:19,350 DEBUG > [org.apache.struts.action.RequestProcessor] Storing ActionForm bean > instance in scope 'request' under attribute key 'existingCustomerForm' > > 2004-03-25 19:40:19,350 DEBUG > [org.apache.struts.action.RequestProcessor] Populating bean properties > from this request > > 2004-03-25 19:40:19,360 DEBUG > [org.apache.struts.action.RequestProcessor] Validating input form > properties > > 2004-03-25 19:40:19,370 DEBUG > [org.apache.struts.action.RequestProcessor] No errors detected, > accepting input > > 2004-03-25 19:40:19,370 DEBUG > [org.apache.struts.action.RequestProcessor] Looking for Action instance > for class xpetstore.web.struts.action.customer.UpdateCustomerAction > > 2004-03-25 19:40:19,370 DEBUG > [org.apache.struts.action.RequestProcessor] Creating new Action > instance > > 2004-03-25 19:40:19,370 INFO > [xpetstore.web.struts.action.customer.UpdateCustomerAction] execute() > > > > > > > > When there is a timeout the log goes like this: > > 2004-03-25 20:10:56,908 DEBUG [org.apache.struts.util.RequestUtils] > Looking for ActionForm bean instance in scope 'request' under attribute > key 'newCustomerForm' > > 2004-03-25 20:10:56,908 DEBUG [org.apache.struts.util.RequestUtils] > Creating new ActionForm instance of type > 'xpetstore.web.struts.action.customer.NewCustomerForm' > > 2004-03-25 20:10:56,908 DEBUG [org.apache.struts.util.RequestUtils] --> > [EMAIL PROTECTED] > > 2004-03-25 20:10:56,918 DEBUG [org.apache.struts.util.RequestUtils] Get > module name for path /index.jsp > > 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] > Module name found: default > > 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Get > module name for path /cart.jspa > > 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] > Module name found: default > > 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Get > module name for path /signon.jspa > > 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] > Module name found: default > > 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Get > module name for path /search.jspa > > 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] > Module name found: default > > 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] > Looking for ActionForm bean instance in scope 'request' under attribute > key 'searchForm' > > 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] > Creating new ActionForm instance of type > 'xpetstore.web.struts.action.product.SearchForm' > > 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] --> > [EMAIL PROTECTED] > > 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Get > module name for path /index.jsp > > 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] > Module name found: default > > 2004-03-25 20:10:56,928 DEBUG [org.apache.struts.util.RequestUtils] Get > module name for path /category.jspa?categoryId=SIGNS > > > > The relevant action configuration looks like this: > > <action > > path="/updateCustomer" > > type="xpetstore.web.struts.action.customer.UpdateCustomerAction" > > name="existingCustomerForm" > > scope="request" > > input="/myaccount.jsp" > > unknown="false" > > validate="true" > > > > > <set-property > > property="secure" > > value="true" > > /> > > <forward > > name="success" > > path="/index.jsp" > > redirect="false" > > /> > > <forward > > name="error" > > path="/myaccount.jsp" > > redirect="false" > > /> > > > > The form that is posted is declared in html like this: > > <form name="existingCustomerForm" method="post" > action="/MotoringMemorabilia/updateCustomer.jspa"> > > > > I need to understand the interplay between container (form) based > authentication, filters and struts actionservlet. > > > > Can anyone shed some light? > > > > Thanks > > Martin > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- struts 1.1 + tomcat 5.0.16 + java 1.4.2 Linux 2.4.20 Debian --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
