Am Donnerstag, 8. Februar 2007 schrieb Ian Roughley:
> You probably don't need to send it to an action, you just need to render
> the HTML form for authentication. So, login.jsp would suffice. As far
> as s2 is concerned, authentication is completely external. The role
> interceptor just uses the HttpServletRequest to obtain the roles that
> the current user is logged in under.
If security is completely external, what is the Interceptor for? Defining a
SecurityConstraint in the web.xml file will prevent unauthorized access as
well, wouldnt it? (It seems to be the wrong way to me - I define the actions
in struts.xml, I do not see the point to include them in web.xml as well for
security)
But the interceptor just responds a 403 if the user is not authoriuzed - is
there no possibility to present another action in this case (the login
form?).
Or do I misunderstand this whole thing completely?
----- code -----
<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>profile</web-resource-name>
<description>change user profile</description>
<url-pattern>/EditProfile_input.action</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>portalUser</role-name>
</auth-constraint>
</security-constraint>
---- code -----
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
