| Author |
Struts + Custom user registry
|
|
|
| Hey
thanks for all your help Paul.
Now we are facing a new strange problem. We made a simple application using custom user registry to validate username and password and a custom login module to increment the subject. It worked great.
But, when we did the same with a struts application, the subject and the caller principal are always null.
Both applications are using the same user registry and login module.
Any ideas of what is wrong?
thanks!
Thiago
| |
| Paul Ilechko 2006-04-27, 8:08 am |
| thiago@softplan.com.br wrote:
> Hey thanks for all your help Paul. Now we are facing a new strange
> problem. We made a simple application using custom user registry to
> validate username and password and a custom login module to increment
> the subject. It worked great. But, when we did the same with a struts
> application, the subject and the caller principal are always null.
> Both applications are using the same user registry and login module.
> Any ideas of what is wrong? thanks!
I have no idea why Struts should make a difference - that's just a way
to build applications, and should have no impact on security.
| |
|
| > thiago@softplan.com.br wrote:
> facing a new strange
> user registry to
> module to increment
> same with a struts
> are always null.
> and login module.
>
> I have no idea why Struts should make a difference -
> that's just a way
> to build applications, and should have no impact on
> security.
Found the problem.
You need to specify that "*.do" is protected in your web.xml file.
If you only declare "*.jsp", then the subject is not available.
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Content</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.do</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
:P
| |
| Paul Ilechko 2006-04-27, 8:08 am |
| thiago@softplan.com.br wrote:
>
> Found the problem.
> You need to specify that "*.do" is protected in your web.xml file.
> If you only declare "*.jsp", then the subject is not available.
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Secure Content</web-resource-name>
> <url-pattern>*.jsp</url-pattern>
> <url-pattern>*.do</url-pattern>
> <http-method>DELETE</http-method>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
>
> :P
>
Yeah, you have to protect all your application components. I assumed you
were doing.
|
|
|
|