At first glance at your code it looks like you might need to add a role principal after you've added the user.. But on consideration i dont think that the user principal is going to be added to the session in such a way as you can get to the principal using request.getUserPrincipal() and is user in role business.
If you want to do things the servlet spec way and you're intent on using jaas to do this then you're going to have to write a jaas login module that you configure in your container (e.g. tomcat). I dont think the sesssion attribute name is defined in the servlet spec, if i'm correct then session.setAttribute(keyName,Principal) isn't going to help you much. Each vendor (again i think from what i read) can implement the security as they see fit. The only thing they must to is provide a means of configuring realms and that a request that the matches j_security_check, j_username, j_password stuff. To be a compliant container when you make such a request the container must have a configuarable means of authenicating. Now where jaas comes into it is that jaas like the servlet spec is a standard, and thus vendor support is likely to be there. But not all realm authentification is jaas. In a lot of cases a datasource/jdbc realm that come with most containers will do the job. But if this isn't the case then it might be easier writing a jaas loginmodule and then wiring it into the container, along with the jaas configuartion that you need to define using the java.security.auth.login.config property.. If you're authenticating against a database, then dont get bogged down with jaas, and use the a datasource realm. Assuming you configure it correctly you'll have all the request.getUserPrincipal() and isUserInRole stuff to use in your webapp. http://tomcat.apache.org/tomcat-5.0-doc/realm-howto.html In most case you dont need jaas, if you're activating the security manager then you'd need to have a pretty good grasp of all this stuff. And from what i see not many folk bother with the security manager. I guess the question is what are you authenticating against? and which container are you using? Mark On 3/14/06, Jubin Kuriakose <[EMAIL PROTECTED]> wrote: > Hi all > Can ayone give me links related to implemnting security-contraints(from > web.xml) and struts together. I googled without any success. > > thnx jubs > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
