Hi Muralidhar
thanks for ur help , i will try ant let u know
Saman
On Fri, Mar 26, 2010 at 12:40 PM, Muralidhar B. <[email protected]>wrote:
>
> Hi Saman
>>
>> Recently I have used form-based authentication for my project. I have
>> used it in Struts 1.3.8 project. However, IMHO I think the same technique
>> would work as well in Struts 2 Web application.The description is a bit
>> long…just to make sure that you have no problem in implementing it.
>>
>> >>*Ammar*, thanks for the code snippet. However, there are certain
>> issues we need to address here.
>>
>> *1. Who should access What*
>>
>> *For example:*
>>
>> a) *../twincling/secret/secretResource.do
>> * Only *admin* level user-group can access resource in
>> *../twincling/secret/*
>> *
>>
>> b) ../twincling/newsletter/userResource.do
>> Both users created in *newsletter* user-group and *admin* level
>> user-group can access *../twincling/newsletter/* *
>>
>> c) *../twincling/public/publicResource.do*
>>
>> No authentication needed when trying to access *../twincling/public/**
>> resource
>>
>> This is a usual scenario where we want to figure out *who* should access
>> *what*.
>>
>>
>> *2.* *We want the authentication process to be automated, ie., let the
>> web/app server decide who can access what resource instead of writing our
>> own login-authentication code.*
>>
>> *3. Need to handle URL copy paste and re-direct the user to the Login
>> page.*
>>
>> Eg: If the user types
>> http://localhost:8080/twincling/secret/secretResource.do at address bar,
>> the request should be directed to a login-page for authenticating the user.
>>
>> *4. Once the user is authenticated, allow him to access authorized
>> resource.*
>>
>> Eg: If the user types
>> http://localhost:8080/twincling/secret/secretResource.do, the request
>> should be directed to a login-page. At the login page if the user enters
>> valid userid and password, allow the user to access resource in ../secret/*
>> as long as he is in the *same session.*
>>
>> Form-based authentication addresses all the above issues.
>>
>> *1. First we need to have the following jsps*
>> a) login.jsp
>> b) login-fail.jsp
>> c) failedAuthentication.jsp
>>
>> a)login.jsp
>> <form method="POST" name="formb" action="j_security_check">
>> User Name <input type="text" name = "j_username"/><br />
>> Password <input type="password" name = "j_password"/><br />
>> <input type="submit" name="login" value = "Login" /></td>
>> </form>
>>
>> * Rules:
>> *i) The action of the login form must always be *j_security_check*. (To
>> ensure that the login form will work no matter which resource it is for, and
>> to avoid requiring the server to specify the action field of the outbound
>> form.)
>> ii) The username field name must be *j_username*
>> iii) The password field name must be *j_password*
>>
>>
>> b)login-fail.jsp
>>
>> <h5><font color="red">Invalid credentials. Please try again... </font>
>> </h5>
>>
>> <form method="POST" name="formb" action="j_security_check">
>> User Name <input type="text" name = "j_username"/><br />
>> Password <input type="password" name = "j_password"/><br />
>> <input type="submit" name="login" value = "Login" />
>>
>>
>> login.jsp will be automatically called whenever a secured resource is
>> called. If the authentication fails login-fail.jsp will be displayed.
>>
>> c) failedAuthentication.jsp
>>
>>
>> <h3>Access Denied. <br /> You don't have necessary privileges to access
>> this page!</h3>
>>
>>
>>
>>
>> *2. Add the following to your web.xml file*
>>
>> <login-config>
>> <auth-method>FORM</auth-method>
>> <form-login-config>
>> <form-login-page>/login.jsp</form-login-page>
>> <form-error-page>/login-fail.jsp</form-error-page>
>> </form-login-config>
>> </login-config>
>> *
>> And this as well*
>>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>AdminPages</web-resource-name>
>> <description> accessible by authorised users in admin group
>> </description>
>> <url-pattern>/secret/*</url-pattern>
>> <http-method>GET</http-method>
>> <http-method>POST</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> <description>These are the roles who have access</description>
>> <role-name>admin</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Newsletter Pages</web-resource-name>
>> <description> accessible by authorised users in newsletter group
>> </description>
>> <url-pattern>/newsletter/*</url-pattern>
>> <http-method>GET</http-method>
>> <http-method>POST</http-method>
>> </web-resource-collection>
>> <auth-constraint>
>> <description>These are the roles who have access</description>
>> <role-name>admin</role-name>
>> <role-name>newsletter</role-name>
>> </auth-constraint>
>> </security-constraint>
>> <security-role>
>> <description>system administrator</description>
>> <role-name>admin</role-name>
>> </security-role>
>> <security-role>
>> <description>Newsletter group</description>
>> <role-name>newsletter</role-name>
>> </security-role>
>> <error-page>
>> <error-code> 403 </error-code>
>> <location>/failedAuthentication.jsp </location>
>> </error-page>
>>
>>
>>
>> *3. Create the following tables in DB*
>> Login [username, password]
>> User_Role [username,role]
>>
>> The login table will store the user credentials and the user_role table
>> will store the role for the corresponding user. For our example
>>
>> Login: username=saman, password=secret123
>> User_Role: username=saman, role=admin
>>
>> Please note that form-based authentication will work only if both user
>> credentials[username,password] and his role is present in the corresponding
>> tables.
>>
>> *4. If you are using Apache Tomcat, modify the server.xml
>> Find and uncomment the following in server.xml*
>>
>> <Realm className="org.apache.catalina.realm.JDBCRealm"
>> driverName="org.gjt.mm.mysql.Driver"
>> connectionURL="jdbc:mysql://localhost/authority"
>> connectionName="test" connectionPassword="test"
>> userTable="users" userNameCol="user_name" userCredCol="user_pass"
>> userRoleTable="user_roles" roleNameCol="role_name" />
>>
>> And update with your specific connection-parameters. Here is an example
>>
>> <Realm className="org.apache.catalina.realm.JDBCRealm"
>> debug="99" driverName="com.mysql.jdbc.Driver"
>> connectionURL="jdbc:mysql://10.10.10.112:3306/twincling"
>> connectionName="saman"
>> connectionPassword="passw0rd123"
>> userTable="login"
>> userNameCol="username"
>> userCredCol="password"
>> userRoleTable="user_role"
>> roleNameCol="role"
>> />
>>
>>
>> *5. Place the relevant database driver in ..\tomcat\common\lib folder*
>>
>> For the above example, I have placed mysql-connector-java-5.0.4-bin.jar at
>> *..\tomcat\common\lib* folder
>>
>> *6. Next we need to tell if all izz well and authentication is successful
>> it should go where*
>> For that I have the following entry at my web.xml
>>
>> <welcome-file-list>
>> <welcome-file>/pages/login/Index.jsp</welcome-file>
>> </welcome-file-list>
>>
>> And at index.jsp I have the following entry
>>
>> <% response.sendRedirect("login.do");%>
>>
>> Which directs to the following action class
>>
>>
>> public ActionForward execute(ActionMapping mapping, ActionForm
>> form,HttpServletRequest request, HttpServletResponse resonse) {
>> String userName=null;
>> String roleStatus=null;
>>
>> userName = request.getRemoteUser();
>> //this is how we can get the j_username value
>>
>> roleStatus=request.isUserInRole("admin");
>>
>> // this is how we can check if the user
>> //is in role admin
>> //to check if the user is in newsletter group you would
>> //say roleStatus=request.isUserInRole("newsletter");
>>
>>
>> //perform other actions
>>
>> }
>>
>>
>> Hope this helps you.. If you have any queries please reply.
>>
>> Regards
>> Murali
>>
>>
>>
>>
>> On Thu, Mar 25, 2010 at 10:08 PM, Ammar Kantawala <
>> [email protected]> wrote:
>>
>>> Hi,
>>> do you want to create a logn page to authenticate the user?
>>> If yes; can try
>>>
>>> <%@ page language="java" contentType="text/html; charset=ISO-8859-1"
>>>
>>>
>>> pageEncoding="ISO-8859-1"%>
>>>
>>> <%@ taglib prefix="s" uri="/struts-tags" %>
>>> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
>>> "http://www.w3.org/TR/html4/loose.dtd";>
>>>
>>>
>>>
>>> <html>
>>> <head>
>>> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
>>> <title>Please login</title>
>>> </head>
>>> <body>
>>> <s:form action="LoginDispatcher">
>>>
>>>
>>>
>>> <s:textfield label="User Id" name="user"></s:textfield>
>>> <s:password label="Password" name="pass"></s:password>
>>> <s:submit label="Login" name="Login"></s:submit>
>>>
>>>
>>>
>>> </s:form>
>>> </body>
>>> </html>
>>>
>>> and write LoginDispatcher.java
>>>
>>>
>>>
>>> package abc;
>>>
>>> import java.sql.Connection;
>>> import java.sql.PreparedStatement;
>>> import java.sql.ResultSet;
>>>
>>> import javax.naming.InitialContext;
>>> import javax.servlet.RequestDispatcher;
>>> import javax.servlet.http.*;
>>> import javax.sql.DataSource;
>>> import org.apache.struts2.ServletActionContext;
>>> import com.opensymphony.xwork2.*;
>>>
>>> public class LoginDispatcher extends ActionSupport
>>> {
>>>
>>> private static final long serialVersionUID = 1L;
>>> String uri;
>>> User user;
>>> public String execute()
>>> {
>>>
>>> // TODO Auto-generated method stub
>>> HttpServletRequest req = ServletActionContext.getRequest();
>>> HttpServletResponse res = ServletActionContext.getResponse();
>>> user = new User();
>>> String name= req.getParameter("user");
>>> String pass=req.getParameter("pass");
>>> user.setUser(name);
>>> user.setPass(pass);
>>> try{
>>> InitialContext ctx = new InitialContext();
>>> DataSource ds = (DataSource)ctx.lookup("java:comp/env/jdbc/PSN");
>>> Connection con = ds.getConnection();
>>>
>>> PreparedStatement ps;
>>>
>>> ps=con.prepareStatement("select USERID,PASSWORD,ROLE from
>>> SQLJ.LOGIN where USERID='"+name+ "'"+"AND PASSWORD ='"+pass+"'");
>>> ResultSet rs = ps.executeQuery();
>>> if(rs.next() && Integer.parseInt(rs.getString(3)) == 1)
>>> {
>>>
>>> rs.close();
>>> con.close();
>>> req.setAttribute("User",user);
>>> uri="/SMEHome.jsp"; //SME home page
>>>
>>> }else if (Integer.parseInt(rs.getString(3)) == 2)
>>> {
>>> rs.close();
>>> con.close();
>>> req.setAttribute("User",user);
>>> uri="/Home.jsp"; //Practitioner Home page
>>>
>>> }else if(Integer.parseInt(rs.getString(3)) == 3)
>>> {
>>> rs.close();
>>> con.close();
>>> req.setAttribute("User",user);
>>> uri="/SMEPracHome.jsp"; //sme and prac both functions home page
>>>
>>> }else if(Integer.parseInt(rs.getString(3)) == 4)
>>> {
>>> rs.close();
>>> con.close();
>>> req.setAttribute("User",user);
>>> uri="/AdminHome.jsp"; //Administrator home page
>>>
>>> } else
>>> {
>>> rs.close();
>>> con.close();
>>> uri="/CreateProfile.jsp";
>>>
>>>
>>> }
>>> if (uri != null)
>>> {
>>> RequestDispatcher rd = req.getRequestDispatcher(uri);
>>> rd.forward(req,res);
>>> }
>>> return "success";
>>> } catch(Exception e){e.printStackTrace();}
>>>
>>>
>>> return "error";
>>> }
>>> }
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Mar 25, 2010 at 2:34 PM, Saman Perera <[email protected]
>>> > wrote:
>>>
>>>> hi all
>>>>
>>>> Any one know how to implement struts 2 form based authentication log in
>>>> application
>>>>
>>>> Thanks
>>>> Saman
>>>>
>>>
>>>
>>>
>>> --
>>> Ammar S. Kantawala
>>> B.Tech Computers
>>
>>
>
