How do I authenticate users with Struts?

Ted Husted

You can use either container-based security or form-based security to authenticate users. With container-based security, the Web browser will track the logins for you, and "replay" the credentials to the server whenever they are required. If a browser hasn't been authenticated yet, it will automatically display a simple login form. If the login passes, the user's original request will proceed. This will also work properly if a user tried to POST from a form to an action URI in a protected area. Once the browser is authenticated, the POST proceeds normally. For applications that manage their own logins, it is probably easier to insist that every single page test for an authenticated user first, and redirect to the login page if not. The Struts example application does this -- partially by use of an application-specific custom tag (app:checkLogon) that performs this check at the top of every page. The tag is application-specific, because the notion of what constitutes a "logged on user" is application specific as well.