For a number of reasons, some time ago I decided to move away from using a programmatic authorization solution in a Struts 2 web app towards using Tomcat Container Managed Security (CMA). I now regret that decision as it’s caused me all sorts of issues. The three things that bother most, though, are the following:
- When logging in directly from the login page without first requesting a protected resource, Tomcat throws up an error. Tomcat CMA mandates that you navigate directly to a protected resource before logging in, in which case it will display the login page instead. This seems awkward and is not the case with other servlet containers like JBoss.
- I can’t specify a Struts 2 action as the login page. This means I have to have a separate JSP that contains all the relevant login markup, which is inconsistent with the use of the framework everywhere else in the application.
- As far as I can tell, CMA does not play nice with my configuration of Sitemesh, Freemarker and Struts 2 across multiple webapps. I wasn’t able to get to the root cause of the problem. I have multiple webapps, some Struts 2, some not, that all use Freemarker and use the same Sitemesh decorators. The CMA login page would not display correctly for some of these.
Ultimately item 3 was the straw that broke the camel’s back. I’ve since moved to Spring Security, which I’ve found easy to configure and resolved all of the issues listed above.