oh...
Supposing i did use j_security_check to authenticate. how do i check if the
user is authenticated at a later stage and is it possible to
programmitically remove his permission.
thnx
On 3/14/06, David Delbecq <[EMAIL PROTECTED]> wrote:
>
> Am sorry but that's not how form based authentification works in j2ee.
> We you are not authenticated, the container redirects your to
> form-login-page
> This page must contain a form with 2 fields : j_username and
> j_password. The form action MUST be of type POST and the target MUST be
> "j_security_check" (this is a special url that will be handled by
> container, you can not map any servlet there).
>
> example:
> <form method="POST" action="j_security_check">
> <table>
> <tr>
> <td>Login :</td>
> <td><input type="text" name="j_username"></td>
> </tr>
> <tr>
> <td>Mot de passe :</td>
> <td><input type="password" name="j_password"></td>
> </tr>
> <tr>
> <td><input type="submit" value="Entrer !"></td>
> <td><input type="reset" value="Annuler"></td>
> </tr>
> </table>
> </form>
>
> if you use any action other than j_security_check, this will be handled
> like any other url query, and no authentification will take place.
>
> The reason you are having father -> login form -> father apparently
> working, is simply because struts does a forward after action, which
> take place internally and so is not concerned about the security
> constraints.
>
> Jubin Kuriakose a écrit :
>
> >Hi David
> >I did do that ...
> >
> >
> >
> >> <security-constraint>
> >> <web-resource-collection>
> >> <web-resource-name>father</web-resource-name>
> >> <description>Security</description>
> >> <url-pattern>/father/*</url-pattern>
> >> <http-method>GET</http-method>
> >> <http-method>POST</http-method>
> >> </web-resource-collection>
> >>
> >> <auth-constraint>
> >> <role-name>admin</role-name>
> >> </auth-constraint>
> >>
> >> <user-data-constraint>
> >> <transport-guarantee>NONE</transport-guarantee>
> >> </user-data-constraint>
> >>
> >> </security-constraint>
> >>
> >> <login-config>
> >> <auth-method>FORM</auth-method>
> >> <form-login-config>
> >> <form-login-page>/auth.do</form-login-page>
> >> <form-error-page>/admin/error.jsp</form-error-page>
> >> </form-login-config>
> >> </login-config>
> >>
> >> <security-role>
> >> <role-name>admin</role-name>
> >> </security-role>
> >>
> >>
> >>and my authentication is diverted to an action class which carries out
> the
> >>
> >>
> >actual checking.
> >
> >Here is auth.jsp that calls the AuthAction
> >
> >
> > <html:form action="authAction">
> >
> >
> >> <TABLE width="100%" border="0" cellspacing="0" cellpadding="5">
> >> <TR align="center">
> >> <TD align="right" class="Prompt"></TD>
> >> <TD align="left">
> >> <html:text property="j_username"
> >>maxlength="20"></html:text>
> >> </TD>
> >> </TR>
> >> <TR align="center">
> >> <TD align="right" class="Prompt">Username</TD>
> >> <TD align="left">
> >> <html:text property="j_password"
> >>maxlength="20"></html:text><BR>
> >> </TD>
> >> </TR>
> >> <TR align="center">
> >> <TD align="right" class="Prompt">Password</TD>
> >> <TD align="left">
> >> <html:submit value="Login"></html:submit>
> >> </TD>
> >> </TR>
> >> </TABLE>
> >> </html:form>
> >>
> >>
> >>
> >
> >the action class is here
> >
> >public ActionForward execute(ActionMapping mapping, ActionForm form,
> >
> >
> >>HttpServletRequest request, HttpServletResponse response) throws
> Exception {
> >>
> >> String username =
> ((DynaActionForm)form).getString("j_username");
> >> String password =
> ((DynaActionForm)form).getString("j_password");
> >> System.out.println("Authentication execute called");
> >> try {
> >>
> >> SecurityAssociationHandler handler = new
> >>SecurityAssociationHandler();
> >> SimplePrincipal user = new SimplePrincipal(username);
> >> handler.setSecurityInfo(user, password.toCharArray());
> >> LoginContext loginContext = new LoginContext("example",
> >> (CallbackHandler) handler);
> >> loginContext.login();
> >> Subject subject = loginContext.getSubject();
> >> System.out.println("Subject--> " + subject.toString());
> >> Set<Principal> principals = subject.getPrincipals();
> >> principals.add(user);
> >>
> >> request.getSession(false).setAttribute("login",subject);
> >> } catch (LoginException e) {
> >> // TODO: handle exception
> >> System.out.println("LoginException");
> >> return mapping.findForward("error");
> >> }
> >> return mapping.findForward("father");
> >> }
> >>
> >>
> >>
> >>
> >
> >and it works fine. Each time a request comes to url /father/* the
> >auth.jspis called, even if I was authorised the first time.
> >Meaning I have to authenticate myself every time I acess anything in
> >/father/ . how do i get over this behaviour and only authenticate my self
> >only once...
> >
> >thnks for any help
> >
> >
> >
> >On 3/14/06, David Delbecq <[EMAIL PROTECTED]> wrote:
> >
> >
> >>Do it like you would for any servlet. Either apply a security constraint
> >>to struts servlet itself or apply security constraints to url path
> >>(applying a security constraint to /admin/* applies also to
> >>/admin/someStrutsAction.do)
> >>
> >>Jubin Kuriakose a écrit :
> >>
> >>
> >>
> >>>Hi all
> >>>Can ayone give me links related to implemnting security-contraints(from
> >>>web.xml) and struts together. I googled without any success.
> >>>
> >>>thnx jubs
> >>>
> >>>
> >>>
> >>>
> >>>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: [EMAIL PROTECTED]
> >>For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
