start here http://www.acegisecurity.org/guide/springsecurity.html
M- ----- Original Message ----- From: "Kelly Graus" <[EMAIL PROTECTED]> To: <user@struts.apache.org> Sent: Tuesday, February 19, 2008 12:12 PM Subject: Struts 2 Container Security problem > Hi Everyone, > > I'm attempting to secure my first Struts 2 web app using container > security with a DataSourceRealm. I'm using Tomcat 6 as my container. > Here is how my project is setup: > > LicensingAdministration/ > META-INF/ > context.xml > WEB-INF/ > web.xml > classes/ > struts.xml > protected/ > *JSP pages* > login.jsp > error.jsp > > Without using struts, this works perfectly. Any attempt to access > anything under the protected area results in a redirect to the login > page, and from there all of the database stuff works fine. However, > when I added in struts, I am now able to bypass the security by > specifying an action directly. > > For example, navigating to > http://localhost:8080/LicensingAdministration/CreateProduct.action will > bypass the login page and go directly to the CreateProduct action. > However, navigating to > http://localhost:8080/LicensingAdministration/protected/CreateProduct.action > will perform a redirect to the login (as expected). > > Any suggestions on how to secure the actions so that the login cannot be > bypassed would be greatly appreciated! Below are the relevant parts of > my web.xml and context.xml files (I can post the full files if > necessary, but they contain a lot of resource definitions that aren't > related to the problem). > > Also, in an slightly unrelated question, is is possible to use struts > tags in the login page? I was trying to use an s:url tag to specify the > location of the css. When redirected to the login page, the server > threw an exception and I got an error message stating the the Struts > dispatcher cannot be found. > > Thanks! > > Kelly > > [web.xml] > <filter> > <filter-name>struts2</filter-name> > > <filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class> > </filter> > > <filter-mapping> > <filter-name>struts2</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > [snip] > > <resource-env-ref> > <resource-env-ref-name>jdbc/UsersDS</resource-env-ref-name> > <resource-env-ref-type>javax.sql.DataSource</resource-env-ref-type> > </resource-env-ref> > > <!-- Security Constraints --> > <security-constraint> > <display-name>name</display-name> > <web-resource-collection> > <web-resource-name>Protected Area</web-resource-name> > <url-pattern>/protected/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>licensing-admin</role-name> > </auth-constraint> > </security-constraint> > <login-config> > <auth-method>FORM</auth-method> > <realm-name>Licensing Administration</realm-name> > <form-login-config> > <form-login-page>/login.jsp</form-login-page> > <form-error-page>/error.jsp</form-error-page> > </form-login-config> > </login-config> > <security-role> > <role-name>licensing-admin</role-name> > </security-role> > > <welcome-file-list> > <welcome-file>protected/administer.jsp</welcome-file> > </welcome-file-list> > [/web.xml] > > [context.xml] > <Resource name="jdbc/UsersDS" auth="Container" > type="javax.sql.DataSource" > username="username" > password="password" > driverClassName="com.mysql.jdbc.Driver" > url="jdbc:mysql://localhost:3306/users"/> > > <!-- Security Realm --> > <Realm className="org.apache.catalina.realm.DataSourceRealm" > dataSourceName="jdbc/UsersDS" localDataSource="true" > userTable="users" userNameCol="user_name" userCredCol="user_pass" > userRoleTable="user_roles" roleNameCol="role_name"/> > [/context.xml] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
