Am Donnerstag, 8. Februar 2007 schrieb Ian Roughley: > You probably don't need to send it to an action, you just need to render > the HTML form for authentication. So, login.jsp would suffice. As far > as s2 is concerned, authentication is completely external. The role > interceptor just uses the HttpServletRequest to obtain the roles that > the current user is logged in under.
If security is completely external, what is the Interceptor for? Defining a SecurityConstraint in the web.xml file will prevent unauthorized access as well, wouldnt it? (It seems to be the wrong way to me - I define the actions in struts.xml, I do not see the point to include them in web.xml as well for security) But the interceptor just responds a 403 if the user is not authoriuzed - is there no possibility to present another action in this case (the login form?). Or do I misunderstand this whole thing completely? ----- code ----- <security-constraint> <display-name>Constraint1</display-name> <web-resource-collection> <web-resource-name>profile</web-resource-name> <description>change user profile</description> <url-pattern>/EditProfile_input.action</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>HEAD</http-method> <http-method>PUT</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <description/> <role-name>portalUser</role-name> </auth-constraint> </security-constraint> ---- code ----- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]