Hmm, well, I hope that I turn out to be wrong here. I tried it myself
and couldn't get it to work. Please let me know how it goes.
Erik
Leandro Melo wrote:
Hi Erik, i was not missing that, i just forgot to tell
you that...
- JBoss actually propagates it`s security suff to
Tomcat and vice-versa. I got this information from the
JBoss forum
(http://jboss.org/index.html?module=bb&op=viewtopic&t=53202).
Then i tested it myself with a simple login using
j_security_check and could confirm this fact. JAAS is
propagates between JBoss and Tomcat.
Anyway, let`s have some thoughts...
In my logon action, i can log in fine (as i told you,
using JBoss structure) then i forward to the index.jsp
page, wich is a secure page. Then i think that if this
security was not propagated i wouldn`t even get to the
index.jsp, because it`s a protected page. And as i
told you, i reach the index.jsp finely.
So, it seems that i`m actually been authenticated in
JBoss and Tomcat (i`m not home right now, but when i
get there i`ll try to use a request.isUserInRole
method inside that action to confim my thesis), but
only for a request scope.
Leandro.
--- Erik Weber <[EMAIL PROTECTED]> escreveu:
Sorry to hear that you are so mad, it is indeed
frustrating to try to
work with APIs that are poorly documented, but, I
think you're still
missing one thing I've been saying . . .
Leandro Melo wrote:
Hi Erik,
the point is that i actually changing my approach.
I gave up for a moment the
action="j_security_check"
(i'm using j_username and j_password just to make
it
similar just because they names were already there
when i tried something with j_security_check) thing
and pointed the action of my login.jsp to
action="/logon.do".
Then, in this action, i just create login using
defaults's JBoss structure (i'm using
DatabaseServlerLogin,
UsernamePasswordCallbackHanlder,
wich are JBoss' stuff).
BUT, i'm really, really, really mad with this
thing.
Never been so disapointed about one thing as i'm to
this.
If you note my logon action you'll see that it does
just all tutorials and references to JAAS say to
do.
String j_username =
(String)request.getParameter("j_username");
String x =
(String)request.getParameter("j_password");
if (x != null){
j_password = x.toCharArray();
handler = new
UsernamePasswordHandler(j_username,
j_password);
}
LoginContext lc = null;
try {
lc = new LoginContext("example2", handler);
lc.login();
Subject subject = lc.getSubject();
Set principals = subject.getPrincipals();
Principal user = new
SimplePrincipal(j_username);
principals.add(user);
} catch (LoginException e) {
e.printStackTrace();
throw new Exception();
}
return mapping.findForward("index");
As i said, this WORKS, it actually logs the user
correctly.
I think it may have logged you in correctly *with
JBoss*. The
LoginContext you are using here is specific to
JBoss, if I am not mistaken.
BUT when i get to index.jsp, i'm not logged
anymore, the action seems to be logging the user
doing
the stuff i ask and as soon as the action leaves
the
scope, i back not logged again. This makes me
mad!!!!
Struts runs in the Tomcat container, within the
JBoss JVM. When you
logged in with the JBoss login module, Tomcat knew
nothing about it. To
login with Tomcat, you have to send the form action
to
"j_security_check". That is the way I understand it.
Erik
Then, i thought i could be HttpSession issues, and
i
inserted the following line in the beggining of the
Action, BUT, take a look on what happens.
//the first lines of the action
if (request.getSession(false) == null){
System.out.println("session not created");
}
/*Hahahaha, the weird thing is that my
getSession(false) NEVER returns null!!! Even this
beeing the first Action of my app. As sugestion of
other people i inserted the following line in
struts-config.xml -> <controller
locale="false"/>
Because struts creates a session object if
locale="true", which is default option.
So, to FORCE my login over here, i'll just go with
invalidating my session. */
request.getSession().invalidate();
//allright, now i don't have session anymore
//Write here i inserted all the login stuff code i
mentioned earlier (which works fine, as i said) and
then create a new session.
HttpSession session = request.getSession();
Do you see?? According to most references i read,
this
was supposed to work, BUT my "security" session has
a
scope of only one action, as soon as i leave i'm
forwared i need to go back an log again. This is
sad...
Regards,
Leandro
--- Erik Weber <[EMAIL PROTECTED]>
escreveu:
Sorry, I may have mislead you here:
Erik Weber wrote:
Leandro, perhaps I didn't explain very well. As
far as I know, there
is no way for you to intercept the login request
and process the
j_username and j_password parameters yourself --
you have to let the
container receive the form submittal and process
the login. This is
why I said, your login form can't be a Struts
form
-- your login page
is basically not going to be a part of Struts.
You'll have to think of
your login screen as one face of a container
"module" or "extension"
that can serve as the front door of *any* web
apps
running in that
container. It doesn't belong to the web app, but
you can make it look
=== message truncated ===
_______________________________________________________
Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
http://br.acesso.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]