Hi Everyone,
I'm attempting to secure my first Struts 2 web app using container
security with a DataSourceRealm. I'm using Tomcat 6 as my container.
Here is how my project is setup:
LicensingAdministration/
META-INF/
context.xml
WEB-INF/
web.xml
classes/
struts.xml
protected/
*JSP pages*
login.jsp
error.jsp
Without using struts, this works perfectly. Any attempt to access
anything under the protected area results in a redirect to the login
page, and from there all of the database stuff works fine. However,
when I added in struts, I am now able to bypass the security by
specifying an action directly.
For example, navigating to
http://localhost:8080/LicensingAdministration/CreateProduct.action will
bypass the login page and go directly to the CreateProduct action.
However, navigating to
http://localhost:8080/LicensingAdministration/protected/CreateProduct.action
will perform a redirect to the login (as expected).
Any suggestions on how to secure the actions so that the login cannot be
bypassed would be greatly appreciated! Below are the relevant parts of
my web.xml and context.xml files (I can post the full files if
necessary, but they contain a lot of resource definitions that aren't
related to the problem).
Also, in an slightly unrelated question, is is possible to use struts
tags in the login page? I was trying to use an s:url tag to specify the
location of the css. When redirected to the login page, the server
threw an exception and I got an error message stating the the Struts
dispatcher cannot be found.
Thanks!
Kelly
[web.xml]
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
[snip]
<resource-env-ref>
<resource-env-ref-name>jdbc/UsersDS</resource-env-ref-name>
<resource-env-ref-type>javax.sql.DataSource</resource-env-ref-type>
</resource-env-ref>
<!-- Security Constraints -->
<security-constraint>
<display-name>name</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>licensing-admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Licensing Administration</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>licensing-admin</role-name>
</security-role>
<welcome-file-list>
<welcome-file>protected/administer.jsp</welcome-file>
</welcome-file-list>
[/web.xml]
[context.xml]
<Resource name="jdbc/UsersDS" auth="Container"
type="javax.sql.DataSource"
username="username"
password="password"
driverClassName="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/users"/>
<!-- Security Realm -->
<Realm className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName="jdbc/UsersDS" localDataSource="true"
userTable="users" userNameCol="user_name" userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name"/>
[/context.xml]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
