There is a problem running Struts 2.1.6 on Websphere when security is enabled. The case happens when url is an action not a resource like jsp or html. Refer to JIRA WW-2642 that I opened almost a year ago.
I was hoping that Apache group can get their hands on Websphere to verify the issue but it seems like a distant probability as I have not heard any news on that for sometime. But on the bright site, there may be some good news on this soon. As I had to locate WAS L3 support in person and I am working with them on this issue [though the pace is slow]. Also keep in mind, the same issue exists on WAS 7.0.0.1 with a slight variation. If this is determined to be a Websphere problem with WAS 6.1. Then I have a stronger case to press issue for WAS 7.0. --- On Mon, 3/16/09, pblatner <pblat...@gmail.com> wrote: > From: pblatner <pblat...@gmail.com> > Subject: Re: Struts 2 Container Security problem > To: user@struts.apache.org > Received: Monday, March 16, 2009, 9:05 PM > > I have tried to do the exact thing that Jeromy suggests > below with 2 > packages. And then in the web.xml specify a security > constraint with the > URL pattern "/protected/*". After doing so, I am not > getting the result > that I think I should be. > > When issuing a request for my action at > "http://localhost/MyApp/protected/HomeAction";, the > container is not > intercepting and challenging me with my logon.html page. > > Anyone know why this isn't working? > > The struts 2 servlet-filter pattern is "/*".. It seems > pretty obvious that > the struts 2 servlet filter is responding to the first part > of the URL: > "http://localhost/MyApp/*"; and the container isn't > seeing that as a secured > resource. > > Am I missing a configuration pattern somewhere that tells > the container to > inspect the full URL before allowing the servlet filter to > process it? > > My deployment environment is WebSphere 6.1. Are there > any incompatibilities > between WebSphere 6.1 and struts 2 that could be causing > this? > > Thanks, > Pete. > > > Jeromy Evans - Blue Sky Minds wrote: > > > > In struts.xml, the namespace given to your package > needs be in > > /protected as well. > > eg. <package name="myPackage" > namespace="/protected"> > > Otherwise, as you've seen, it's available in the root > of the > > application's context path. > > > > I usually split my struts2 application into at least > two packages: > > <package name="public" namespace="/"> ... > > <package name="secure" namespace="/protected"> > > > > -- > View this message in context: > http://www.nabble.com/Struts-2-Container-Security-problem-tp15571409p22547426.html > Sent from the Struts - User mailing list archive at > Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > > __________________________________________________________________ Instant Messaging, free SMS, sharing photos and more... Try the new Yahoo! Canada Messenger at http://ca.beta.messenger.yahoo.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
