Struts2 and Java EE authentication
kenny...@strongbackconsulting.com
Raj Sivaraj
> I have WAS 7.0.0.3 and a Struts2 application. I cannot for the life of me get it to prompt for a login page on any struts action I've created. I am able to secure static pages, but not Struts2 actions. I have both administrative and application security turned on. I am not using Java2 security. I have a rule for /* in my web.xml, and on my Struts2 action methods, I'm using either @PermitAll or @RolesAllowed, yet it still does not prompt for authentication (but secures all the static pages and jsps). Does anyone have any suggestions on how to get around this?
In our 5.1 app login prompt would be launched by a "filter" if the
incoming session is not authenticated. But in 6.1 the filter will not
get the control at all. So we had to have a helper "Servlet" FIRST
that would get launched on unauthenticated session which in turn
forwards to old filter we had.......this way we could get the login
form launched.
rang...@gmail.com
> I have WAS 7.0.0.3 and a Struts2 application. I cannot for the life of me get it to prompt for a login page on any struts action I've created. I am able to secure static pages, but not Struts2 actions. I have both administrative and application security turned on. I am not using Java2 security. I have a rule for /* in my web.xml, and on my Struts2 action methods, I'm using either @PermitAll or @RolesAllowed, yet it still does not prompt for authentication (but secures all the static pages and jsps). Does anyone have any suggestions on how to get around this?
What does your web.xml file look like? Got something like this in it?
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.do</form-login-page>
<form-error-page>/loginerror.do</form-error-page>
</form-login-config>
</login-config>
astrally2005
<filter>
<filter-name>struts2</filter-name>
<filter-class>com.someclasses.</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-
class>org.springframework.web.context.ContextLoaderListener</listener-
class>
</listener>
<listener>
<listener-class>org.apache.struts2.tiles.StrutsTilesListener</
listener-class>
</listener>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint id="SecurityConstraint_1">
<web-resource-collection id="WebResourceCollection_1">
<web-resource-name>Secured Application</web-resource-
name>
<description>Protection area for Secured Application</
description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint id="AuthConstraint_1">
<description>Application Security:+:All Authenticated
users for Application</description>
<role-name>All Role</role-name>
</auth-constraint>
<user-data-constraint id="UserDataConstraint_1">
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role id="SecurityRole_1">
<description>All Authenticated Users Role</description>
<role-name>All Role</role-name>
</security-role>
</web-app>
We are using Struts and Spring Security and in order to trigger
authentication by J2EE from which we can then determine the user role
based on the http request object, To support this we needed to use
three additional webcontainer settings,
com.ibm.ws.webcontainer.assumefiltersuccessonsecurityerror is only
available with Fixpack23
com.ibm.ws.webcontainer.disablesecuritypreinvokeonfilters=false,
com.ibm.ws.webcontainer.assumefiltersuccessonsecurityerror=true
com.ibm.ws.webcontainer.invokefilterscompatibility=true
Although funnily enough another one of our applications requires
com.ibm.ws.webcontainer.disablesecuritypreinvokeonfilters=true
We need to deploy that on different application servers to support the
different webcontainer settings.
Hope that helps
Andrew