Am Donnerstag, 8. Februar 2007 schrieb Ian Roughley:
> You probably don't need to send it to an action, you just need to render
> the HTML form for authentication. So, login.jsp would suffice. As far
> as s2 is concerned, authentication is completely external. The role
> interceptor just uses the HttpServletRequest to obtain the roles that
> the current user is logged in under.

If security is completely external, what is the Interceptor for? Defining a
SecurityConstraint in the web.xml file will prevent unauthorized access as
well, wouldnt it? (It seems to be the wrong way to me - I define the actions
in struts.xml, I do not see the point to include them in web.xml as well for
security)

But the interceptor just responds a 403 if the user is not authoriuzed - is
there no possibility to present another action in this case (the login
form?).

Or do I misunderstand this whole thing completely?

----- code -----
  <security-constraint>
    <display-name>Constraint1</display-name>
    <web-resource-collection>
       <web-resource-name>profile</web-resource-name>
       <description>change user profile</description>
       <url-pattern>/EditProfile_input.action</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       <http-method>HEAD</http-method>
       <http-method>PUT</http-method>
       <http-method>OPTIONS</http-method>
       <http-method>TRACE</http-method>
       <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
       <description/>
       <role-name>portalUser</role-name>
    </auth-constraint>
    </security-constraint>
---- code -----

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@(protected)
For additional commands, e-mail: user-help@(protected)