integration between struts and servlet auth

[tremalnaik]

Hi everibody,
I'm using the ssl extension library for Struts (sslext) to switch
between encrypted and unencrypted pages in my webapp. Everything works
fine excerpt for the login page, which is handled by the servlet
authentication mechanism. Some excerpt from my config files follow:

------------ web.xml ------------------
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected actions and
pages</web-resource-name>
<description>no description</description>
<url-pattern>*.do</url-pattern>
<url-pattern>/index.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>TestUser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/WEB-INF/jsp/logon/logon.jsp</form-login-page>

<form-error-page>/WEB-INF/jsp/logon/logonError.jsp</form-error-page>
</form-login-config>
</login-config>

------------ web.xml ------------------

------------- struts-config.xml ------------
<action-mappings type="org.apache.struts.config.SecureActionConfig">
<action forward="/WEB-INF/jsp/logon/logon.jsp" path="/logon" >
<set-property property="secure" value="true"/>
</action>
<action input="page.clientHome" name="accountForm"
path="/openClient" scope="session"
type="com.ciccio.pasticcio.web.actions.OpenClientAction"
validate="true" >
<set-property property="secure" value="false"/>
</action>
</action-mappings>
.....
<controller
processorClass="org.apache.struts.action.SecureTilesRequestProcessor"
/>
<plug-in className="org.apache.struts.action.SecurePlugIn">
<set-property property="httpPort" value="8080"/>
<set-property property="httpsPort" value="8443"/>
<set-property property="enable" value="true"/>
<set-property property="addSession" value="false"/>
</plug-in>
------------- struts-config.xml ------------

First I tried adding at the top of logon.jsp these lines:

<%@ taglib uri="/WEB-INF/tld/sslext.tld" prefix="sslext"%>
<sslextageScheme secure="true" />

but when I try to access a protected url (ie.
http://localhost:8080/testapp/openClient.do) I have an error:

'The requested resource (/testapp/WEB-INF/jsp/logon/logon.jsp) is not
available.'

So I got rid of the sslext tag and I modified the web.xml
<login-config> as

<form-login-page>/logon.do</form-login-page>

Now encryption works and the logon page appears on a secure channel,
but when I push the form login button the user (while authenticated) is
not redirected to the original URL he has entered (openClient) but
remains in the login page. It seems the URL got lost by the container
because of the http -> https redirection.

I've tried with

<action include="/WEB-INF/jsp/logon/logon.jsp" path="/logon" >

but the behaviour was not changing. I tested with IE 6.0 and Firefox
1.0.4

Can anyone help me?

TREMALNAIK

 

[Andrew Thompson]

Hi everibody,
I'm ..

...multi-posting. Please refrain from doing so.
<http://www.physci.org/codes/javafaq.jsp#xpost>

 

[tremalnaik]

..multi-posting. Please refrain from doing so.
<http://www.physci.org/codes/javafaq.jsp#xpost>

Multiposting is when the number of reposting reaches the number of 3

TREMALNAIK

 

[Andrew Thompson]

Multiposting is when the number of reposting reaches the number of 3

- Got a reference for that? My reference is RFC 1855,
Section 3.1.3 - 'Netnews Guidelines', points 1 and 5.
<http://www.physci.org/rfc/rfc1855.jsp#3_1_3>.
You might try reading that sometime (before you next
consider multi-posting to two or more groups).

- How am I supposed to know how many groups you have posted
to. You made no reference to the other post(s) in any thread
I saw. Loan me your crystal ball?

- Given the first point, why should I care how many groups
you have mutli-posted to?

But ultimately, it seems you are saying 'it is OK to waste
people's time, so long as it is only on two groups at a time'.

Does that sum up the way you see it?

 

[tremalnaik]

- Got a reference for that? My reference is RFC 1855,
Section 3.1.3 - 'Netnews Guidelines', points 1 and 5.
<http://www.physci.org/rfc/rfc1855.jsp#3_1_3>.
You might try reading that sometime (before you next
consider multi-posting to two or more groups).

ok, I don't have any RFC to refer to, but in my opinion education is a
matter of opinion, not a RFC problem. I believe that waiting people
"behind a tree" to catch them doing something we consider wrong just
for the pleasure you get in complaining reveals some kind of pestilent
thinking. I believe I was not unpolite, neither if you look my posts in
the USENET you may say I ever committed some annoying action against
noone. I just posted my question in the Help group, then, I decided the
Programmer group was better, that's all. I don't think that my
beheavior caused the wasting of anyone precious time, as the offtopic
discussion in which we are involving. I apologize .

TREMALNAIK

 

[Andrew Thompson]

....
ok, I don't have any RFC to refer to, ..

You can refer to the same one. I sure don't 'own' it.
It was formulated long before I ever posted to the
usenet news groups.

..but in my opinion education is a matter of opinion,

Who's. Yours?

The prevailing opinion (by many contributors to the groups)
is that multi-posting is counter productive.

..I apologize .

...I do not feel you owe me (or anyone) an apology.

I would like to hear though, that you intend *not* to
multi-post in future.