Jubin Kuriakose a écrit :
>oh...
>Supposing i did use j_security_check to authenticate. how do i check if the
>user is authenticated at a later stage
>
request.getUserPrincipal() returns a non-null value
>and is it possible to programmitically remove his permission.
>
>
Not really. Once user has been authenticated it's written in his
session. Some people have had success by clearing the user session, but
this behaviour is container dependent as, unfortunatly, j2ee specs did
not provide for such a mechanism.
>thnx
>
>On 3/14/06, David Delbecq <[EMAIL PROTECTED]> wrote:
>
>
>>Am sorry but that's not how form based authentification works in j2ee.
>>We you are not authenticated, the container redirects your to
>>form-login-page
>>This page must contain a form with 2 fields : j_username and
>>j_password. The form action MUST be of type POST and the target MUST be
>>"j_security_check" (this is a special url that will be handled by
>>container, you can not map any servlet there).
>>
>>example:
>><form method="POST" action="j_security_check">
>><table>
>><tr>
>><td>Login :</td>
>><td><input type="text" name="j_username"></td>
>></tr>
>><tr>
>><td>Mot de passe :</td>
>><td><input type="password" name="j_password"></td>
>></tr>
>><tr>
>><td><input type="submit" value="Entrer !"></td>
>><td><input type="reset" value="Annuler"></td>
>></tr>
>></table>
>></form>
>>
>>if you use any action other than j_security_check, this will be handled
>>like any other url query, and no authentification will take place.
>>
>>The reason you are having father -> login form -> father apparently
>>working, is simply because struts does a forward after action, which
>>take place internally and so is not concerned about the security
>>constraints.
>>
>>Jubin Kuriakose a écrit :
>>
>>
>>
>>>Hi David
>>>I did do that ...
>>>
>>>
>>>
>>>
>>>
>>>> <security-constraint>
>>>> <web-resource-collection>
>>>> <web-resource-name>father</web-resource-name>
>>>> <description>Security</description>
>>>> <url-pattern>/father/*</url-pattern>
>>>> <http-method>GET</http-method>
>>>> <http-method>POST</http-method>
>>>> </web-resource-collection>
>>>>
>>>> <auth-constraint>
>>>> <role-name>admin</role-name>
>>>> </auth-constraint>
>>>>
>>>> <user-data-constraint>
>>>> <transport-guarantee>NONE</transport-guarantee>
>>>> </user-data-constraint>
>>>>
>>>> </security-constraint>
>>>>
>>>> <login-config>
>>>> <auth-method>FORM</auth-method>
>>>> <form-login-config>
>>>> <form-login-page>/auth.do</form-login-page>
>>>> <form-error-page>/admin/error.jsp</form-error-page>
>>>> </form-login-config>
>>>> </login-config>
>>>>
>>>> <security-role>
>>>> <role-name>admin</role-name>
>>>> </security-role>
>>>>
>>>>
>>>>and my authentication is diverted to an action class which carries out
>>>>
>>>>
>>the
>>
>>
>>>>
>>>>
>>>actual checking.
>>>
>>>Here is auth.jsp that calls the AuthAction
>>>
>>>
>>> <html:form action="authAction">
>>>
>>>
>>>
>>>
>>>> <TABLE width="100%" border="0" cellspacing="0" cellpadding="5">
>>>> <TR align="center">
>>>> <TD align="right" class="Prompt"></TD>
>>>> <TD align="left">
>>>> <html:text property="j_username"
>>>>maxlength="20"></html:text>
>>>> </TD>
>>>> </TR>
>>>> <TR align="center">
>>>> <TD align="right" class="Prompt">Username</TD>
>>>> <TD align="left">
>>>> <html:text property="j_password"
>>>>maxlength="20"></html:text><BR>
>>>> </TD>
>>>> </TR>
>>>> <TR align="center">
>>>> <TD align="right" class="Prompt">Password</TD>
>>>> <TD align="left">
>>>> <html:submit value="Login"></html:submit>
>>>> </TD>
>>>> </TR>
>>>> </TABLE>
>>>> </html:form>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>the action class is here
>>>
>>>public ActionForward execute(ActionMapping mapping, ActionForm form,
>>>
>>>
>>>
>>>
>>>>HttpServletRequest request, HttpServletResponse response) throws
>>>>
>>>>
>>Exception {
>>
>>
>>>> String username =
>>>>
>>>>
>>((DynaActionForm)form).getString("j_username");
>>
>>
>>>> String password =
>>>>
>>>>
>>((DynaActionForm)form).getString("j_password");
>>
>>
>>>> System.out.println("Authentication execute called");
>>>> try {
>>>>
>>>> SecurityAssociationHandler handler = new
>>>>SecurityAssociationHandler();
>>>> SimplePrincipal user = new SimplePrincipal(username);
>>>> handler.setSecurityInfo(user, password.toCharArray());
>>>> LoginContext loginContext = new LoginContext("example",
>>>> (CallbackHandler) handler);
>>>> loginContext.login();
>>>> Subject subject = loginContext.getSubject();
>>>> System.out.println("Subject--> " + subject.toString());
>>>> Set<Principal> principals = subject.getPrincipals();
>>>> principals.add(user);
>>>>
>>>> request.getSession(false).setAttribute("login",subject);
>>>> } catch (LoginException e) {
>>>> // TODO: handle exception
>>>> System.out.println("LoginException");
>>>> return mapping.findForward("error");
>>>> }
>>>> return mapping.findForward("father");
>>>> }
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>and it works fine. Each time a request comes to url /father/* the
>>>auth.jspis called, even if I was authorised the first time.
>>>Meaning I have to authenticate myself every time I acess anything in
>>>/father/ . how do i get over this behaviour and only authenticate my self
>>>only once...
>>>
>>>thnks for any help
>>>
>>>
>>>
>>>On 3/14/06, David Delbecq <[EMAIL PROTECTED]> wrote:
>>>
>>>
>>>
>>>
>>>>Do it like you would for any servlet. Either apply a security constraint
>>>>to struts servlet itself or apply security constraints to url path
>>>>(applying a security constraint to /admin/* applies also to
>>>>/admin/someStrutsAction.do)
>>>>
>>>>Jubin Kuriakose a écrit :
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Hi all
>>>>>Can ayone give me links related to implemnting security-contraints(from
>>>>>web.xml) and struts together. I googled without any success.
>>>>>
>>>>>thnx jubs
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>---------------------------------------------------------------------
>>>>To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>>For additional commands, e-mail: [EMAIL PROTECTED]
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: [EMAIL PROTECTED]
>>For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>>
>>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
