Application Controlled Authentication - Tomcat & Struts

[Antoine Diot]

Hello All. Thanks in advance for your help.

I'm trying to implement Application controlled security in conjunction
with the <security-constraint> option in web.xml. I'm using Struts
1.1 and Tomcat 5.0.24.Here's what I got.

web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Area</web-resource-name>
<url-pattern>/secure/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>

struts-config.xml:
<form-beans>
<form-bean name="LoginForm" type="forms.LoginForm"/>
</form-beans>
...
<action
path="/Login"
type="actions.LoginAction"
name="LoginForm"
scope="request"
validate="true"
input="/login.jsp">
</action>

The LoginAction class takes care of authentication using the values in
LoginForm successfully. My question is, if the user request something
with /secure in it's path, for example, /secure/page1, how do I
forward to the originally requested page after the user is
authenticated successfully. Normally I would return an ActionForward
object that forwards to the requested page, but I'm not sure how to
figure out what the requested page is from within the LoginAction
object.

 

[Rajesh Tihari]

You can also try out CAS. It is available at http://www.yale.edu/tp/auth/
It is an excellent Open Source Single Sign On product.

Cheers
Rajesh

 

[Rajesh Tihari]

You can also try out CAS. It is available at http://www.yale.edu/tp/auth/
It is an excellent Open Source Single Sign On product.

Cheers
Rajesh

 

[pravda]

There is an alternative to using CAS (which seems promissing). Just
store the url of the requesting page in the session by default.
Define a string property in the Super ActionForm to set the "
frompage" in ever JSP you use (and perhaps the toPage). In this manner
you always keep control on the flow. Your login-action accesses the
form to retrieve the orginal page and forwards either to the login.jsp
or to tthe toPage".
Regards,
herman ( who's incredible drunk).

 

[pravda]

Hello All. Thanks in advance for your help.

I'm trying to implement Application controlled security in conjunction
with the <security-constraint> option in web.xml. I'm using Struts
1.1 and Tomcat 5.0.24.Here's what I got.

web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Area</web-resource-name>
<url-pattern>/secure/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>

struts-config.xml:
<form-beans>
<form-bean name="LoginForm" type="forms.LoginForm"/>
</form-beans>
...
<action
path="/Login"
type="actions.LoginAction"
name="LoginForm"
scope="request"
validate="true"
input="/login.jsp">
</action>

The LoginAction class takes care of authentication using the values in
LoginForm successfully. My question is, if the user request something
with /secure in it's path, for example, /secure/page1, how do I
forward to the originally requested page after the user is
authenticated successfully. Normally I would return an ActionForward
object that forwards to the requested page, but I'm not sure how to
figure out what the requested page is from within the LoginAction
object.