Hi Erik, i was not missing that, i just forgot to tell
you that...
- JBoss actually propagates it`s security suff to
Tomcat and vice-versa. I got this information from the
JBoss forum
(http://jboss.org/index.html?module=bb&op=viewtopic&t=53202).
Then i tested it myself with a simple login using
j_security_check and could confirm this fact. JAAS is
propagates between JBoss and Tomcat.
Anyway, let`s have some thoughts...
In my logon action, i can log in fine (as i told you,
using JBoss structure) then i forward to the index.jsp
page, wich is a secure page. Then i think that if this
security was not propagated i wouldn`t even get to the
index.jsp, because it`s a protected page. And as i
told you, i reach the index.jsp finely.
So, it seems that i`m actually been authenticated in
JBoss and Tomcat (i`m not home right now, but when i
get there i`ll try to use a request.isUserInRole
method inside that action to confim my thesis), but
only for a request scope.
Leandro.
--- Erik Weber <[EMAIL PROTECTED]> escreveu:
> Sorry to hear that you are so mad, it is indeed
> frustrating to try to
> work with APIs that are poorly documented, but, I
> think you're still
> missing one thing I've been saying . . .
>
> Leandro Melo wrote:
>
> >Hi Erik,
> >the point is that i actually changing my approach.
> >I gave up for a moment the
> action="j_security_check"
> >(i'm using j_username and j_password just to make
> it
> >similar just because they names were already there
> >when i tried something with j_security_check) thing
> >and pointed the action of my login.jsp to
> >action="/logon.do".
> >Then, in this action, i just create login using
> >defaults's JBoss structure (i'm using
> >DatabaseServlerLogin,
> UsernamePasswordCallbackHanlder,
> >wich are JBoss' stuff).
> >BUT, i'm really, really, really mad with this
> thing.
> >Never been so disapointed about one thing as i'm to
> >this.
> >If you note my logon action you'll see that it does
> >just all tutorials and references to JAAS say to
> do.
> >
> >String j_username =
> >(String)request.getParameter("j_username");
> >String x =
> (String)request.getParameter("j_password");
> >
> >if (x != null){
> > j_password = x.toCharArray();
> > handler = new
> UsernamePasswordHandler(j_username,
> >j_password);
> >}
> >
> >LoginContext lc = null;
> >
> >try {
> > lc = new LoginContext("example2", handler);
> > lc.login();
> > Subject subject = lc.getSubject();
> > Set principals = subject.getPrincipals();
> > Principal user = new
> SimplePrincipal(j_username);
> > principals.add(user);
> >} catch (LoginException e) {
> > e.printStackTrace();
> > throw new Exception();
> >}
> >
> >return mapping.findForward("index");
> >
> >
> >As i said, this WORKS, it actually logs the user
> >correctly.
> >
> I think it may have logged you in correctly *with
> JBoss*. The
> LoginContext you are using here is specific to
> JBoss, if I am not mistaken.
>
> > BUT when i get to index.jsp, i'm not logged
> >anymore, the action seems to be logging the user
> doing
> >the stuff i ask and as soon as the action leaves
> the
> >scope, i back not logged again. This makes me
> mad!!!!
> >
> >
> Struts runs in the Tomcat container, within the
> JBoss JVM. When you
> logged in with the JBoss login module, Tomcat knew
> nothing about it. To
> login with Tomcat, you have to send the form action
> to
> "j_security_check". That is the way I understand it.
>
> Erik
>
> >Then, i thought i could be HttpSession issues, and
> i
> >inserted the following line in the beggining of the
> >Action, BUT, take a look on what happens.
> >
> >//the first lines of the action
> >if (request.getSession(false) == null){
> > System.out.println("session not created");
> >}
> >
> >/*Hahahaha, the weird thing is that my
> >getSession(false) NEVER returns null!!! Even this
> >beeing the first Action of my app. As sugestion of
> >other people i inserted the following line in
> >struts-config.xml -> <controller
> locale="false"/>
> >Because struts creates a session object if
> >locale="true", which is default option.
> >So, to FORCE my login over here, i'll just go with
> >invalidating my session. */
> >
> >request.getSession().invalidate();
> >//allright, now i don't have session anymore
> >
> >//Write here i inserted all the login stuff code i
> >mentioned earlier (which works fine, as i said) and
> >then create a new session.
> >
> >HttpSession session = request.getSession();
> >
> >
> >Do you see?? According to most references i read,
> this
> >was supposed to work, BUT my "security" session has
> a
> >scope of only one action, as soon as i leave i'm
> >forwared i need to go back an log again. This is
> >sad...
> >
> >Regards,
> >Leandro
> >
> >
> >
> >
> >
> >
> >
> >
> > --- Erik Weber <[EMAIL PROTECTED]>
> escreveu:
> >
> >
> >>Sorry, I may have mislead you here:
> >>
> >>Erik Weber wrote:
> >>
> >>
> >>
> >>>Leandro, perhaps I didn't explain very well. As
> >>>
> >>>
> >>far as I know, there
> >>
> >>
> >>>is no way for you to intercept the login request
> >>>
> >>>
> >>and process the
> >>
> >>
> >>>j_username and j_password parameters yourself --
> >>>
> >>>
> >>you have to let the
> >>
> >>
> >>>container receive the form submittal and process
> >>>
> >>>
> >>the login. This is
> >>
> >>
> >>>why I said, your login form can't be a Struts
> form
> >>>
> >>>
> >>-- your login page
> >>
> >>
> >>>is basically not going to be a part of Struts.
> >>>
> >>>
> >>You'll have to think of
> >>
> >>
> >>>your login screen as one face of a container
> >>>
> >>>
> >>"module" or "extension"
> >>
> >>
> >>>that can serve as the front door of *any* web
> apps
> >>>
> >>>
> >>running in that
> >>
> >>
> >>>container. It doesn't belong to the web app, but
> >>>
> >>>
> >>you can make it look
>
=== message truncated ===
_______________________________________________________
Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
http://br.acesso.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
