Am sorry but that's not how form based authentification works in j2ee.
We you are not authenticated, the container redirects your to
form-login-page
This page must contain a form with 2 fields : j_username and
j_password. The form action MUST be of type POST and the target MUST be
"j_security_check" (this is a special url that will be handled by
container, you can not map any servlet there).
example:
<form method="POST" action="j_security_check">
<table>
<tr>
<td>Login :</td>
<td><input type="text" name="j_username"></td>
</tr>
<tr>
<td>Mot de passe :</td>
<td><input type="password" name="j_password"></td>
</tr>
<tr>
<td><input type="submit" value="Entrer !"></td>
<td><input type="reset" value="Annuler"></td>
</tr>
</table>
</form>
if you use any action other than j_security_check, this will be handled
like any other url query, and no authentification will take place.
The reason you are having father -> login form -> father apparently
working, is simply because struts does a forward after action, which
take place internally and so is not concerned about the security
constraints.
Jubin Kuriakose a écrit :
>Hi David
>I did do that ...
>
>
>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>father</web-resource-name>
>> <description>Security</description>
>> <url-pattern>/father/*</url-pattern>
>> <http-method>GET</http-method>
>> <http-method>POST</http-method>
>> </web-resource-collection>
>>
>> <auth-constraint>
>> <role-name>admin</role-name>
>> </auth-constraint>
>>
>> <user-data-constraint>
>> <transport-guarantee>NONE</transport-guarantee>
>> </user-data-constraint>
>>
>> </security-constraint>
>>
>> <login-config>
>> <auth-method>FORM</auth-method>
>> <form-login-config>
>> <form-login-page>/auth.do</form-login-page>
>> <form-error-page>/admin/error.jsp</form-error-page>
>> </form-login-config>
>> </login-config>
>>
>> <security-role>
>> <role-name>admin</role-name>
>> </security-role>
>>
>>
>>and my authentication is diverted to an action class which carries out the
>>
>>
>actual checking.
>
>Here is auth.jsp that calls the AuthAction
>
>
> <html:form action="authAction">
>
>
>> <TABLE width="100%" border="0" cellspacing="0" cellpadding="5">
>> <TR align="center">
>> <TD align="right" class="Prompt"></TD>
>> <TD align="left">
>> <html:text property="j_username"
>>maxlength="20"></html:text>
>> </TD>
>> </TR>
>> <TR align="center">
>> <TD align="right" class="Prompt">Username</TD>
>> <TD align="left">
>> <html:text property="j_password"
>>maxlength="20"></html:text><BR>
>> </TD>
>> </TR>
>> <TR align="center">
>> <TD align="right" class="Prompt">Password</TD>
>> <TD align="left">
>> <html:submit value="Login"></html:submit>
>> </TD>
>> </TR>
>> </TABLE>
>> </html:form>
>>
>>
>>
>
>the action class is here
>
>public ActionForward execute(ActionMapping mapping, ActionForm form,
>
>
>>HttpServletRequest request, HttpServletResponse response) throws Exception {
>>
>> String username = ((DynaActionForm)form).getString("j_username");
>> String password = ((DynaActionForm)form).getString("j_password");
>> System.out.println("Authentication execute called");
>> try {
>>
>> SecurityAssociationHandler handler = new
>>SecurityAssociationHandler();
>> SimplePrincipal user = new SimplePrincipal(username);
>> handler.setSecurityInfo(user, password.toCharArray());
>> LoginContext loginContext = new LoginContext("example",
>> (CallbackHandler) handler);
>> loginContext.login();
>> Subject subject = loginContext.getSubject();
>> System.out.println("Subject--> " + subject.toString());
>> Set<Principal> principals = subject.getPrincipals();
>> principals.add(user);
>>
>> request.getSession(false).setAttribute("login",subject);
>> } catch (LoginException e) {
>> // TODO: handle exception
>> System.out.println("LoginException");
>> return mapping.findForward("error");
>> }
>> return mapping.findForward("father");
>> }
>>
>>
>>
>>
>
>and it works fine. Each time a request comes to url /father/* the
>auth.jspis called, even if I was authorised the first time.
>Meaning I have to authenticate myself every time I acess anything in
>/father/ . how do i get over this behaviour and only authenticate my self
>only once...
>
>thnks for any help
>
>
>
>On 3/14/06, David Delbecq <[EMAIL PROTECTED]> wrote:
>
>
>>Do it like you would for any servlet. Either apply a security constraint
>>to struts servlet itself or apply security constraints to url path
>>(applying a security constraint to /admin/* applies also to
>>/admin/someStrutsAction.do)
>>
>>Jubin Kuriakose a écrit :
>>
>>
>>
>>>Hi all
>>>Can ayone give me links related to implemnting security-contraints(from
>>>web.xml) and struts together. I googled without any success.
>>>
>>>thnx jubs
>>>
>>>
>>>
>>>
>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: [EMAIL PROTECTED]
>>For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>>
>>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
