tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Using a servlet for authorization
Date Thu, 18 Oct 2001 15:01:59 GMT

On 18 Oct 2001, Dr. Evil wrote:

> Date: 18 Oct 2001 09:04:05 -0000
> From: Dr. Evil <>
> Reply-To:
> To:
> Subject: Using a servlet for authorization
> I am trying to use a servlet for authorization like this:
> There is a servlet called authservlet which checks to see if there is
> a valid user object in the session state.  Here is how it is used:
> I have a directory called /secure with a bunch of .jsp files in it.
> There is a mapping in web.xml:
>    <servlet-mapping>
>       <servlet-name>
>         authservlet
>       </servlet-name>
>       <url-pattern>
>         /secure/*
>       </url-pattern>
>    </servlet-mapping>
> Every time someone tries to request a page like /secure/hello.jsp, the
> request is instead handed to authservlet.  That part is working fine.
> authservlet gets the request and can decide what to do with it.
> The problem is that I am trying to get authservlet to pass the request
> back to the jsp by doing something like this:
>         RequestDispatcher rd =
>         request.getRequestDispatcher("/secure/hello.jsp");
>         rd.forward(request, response);
> where in this case I have hard-coded in hello.jsp as the target, just
> for testing (obviously I will replace this with something which looks
> at what the real url is).
> The problem is, when I then try to load /secure/hello.jsp, it looks
> like the server goes into an infinite loop.  It never returns the page
> and I end up with a bunch of catalina processes running, which I have
> to kill -9 to get rid of.

It's not the server that went into a loop -- it's your application.

The request dispatcher mechanism uses the same servlet mappings that are
used on the original request.  Therefore, the request dispatcher for
"/secure/hello.jsp" will select your authentication servlet again, which
will get another request dispatcher, which will ...

The solution to this problem, at least in a Servlet 2.3 environment (like
Tomcat 4), is to use a Filter for performing this kind of authentication.
There was a thread on this over the last couple of days on TOMCAT-USER --
check the archives for some good ideas.

> I'm sure I'm making some simple mistake here.  Any sugestions?
> Thanks


View raw message