tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Troy <rt...@ScienceTools.com>
Subject RE: blocking access using filter (fwd)
Date Thu, 15 Nov 2001 20:00:51 GMT
Date: Thu, 18 Oct 2001 11:58:34 +0200
From: Taavi Tiirik <taavi@ibs.ee>
Reply-To: tomcat-user@jakarta.apache.org
To: tomcat-user@jakarta.apache.org
Subject: RE: blocking access using filter

Thanks, Craig!

> > 1. If user is not logged in or if the session has
> > timed out then it should open login page and after
> > successful login it should try to access the very
> > same request (ie. the same document).

> I don't quite see why you need to modify the standard
> form-based login mechanisms, either.  Can't you just use
> the standard form based login for triggering authentication?

No, I did not want to modify standard login mechanism by
any means :-). I simply had this (wrong) impression that
filters get called before checking security constraints.
How stupid of me :-). Creating security constraint like
you suggested covered the first step and now I have this
filter purring like a kitten.

Just in case anybody is interested... this is what I did.
doFilter looks like this:

public void doFilter (
	ServletRequest request,
	ServletResponse response,
	FilterChain chain
)
throws IOException, ServletException
{
	HttpServletRequest httpRequest = null;
	HttpServletResponse httpResponse = null;

	if( request instanceof HttpServletRequest )
		httpRequest = (HttpServletRequest)request;

	if( response instanceof HttpServletResponse )
		httpResponse = (HttpServletResponse)response;

	boolean authorized = false;
	String user = httpRequest.getRemoteUser();

	// Is this really necessary? Could it be that requests
	// other than HttpServletRequest are passed to
	// this filter? Can they be harmful by any means?
	// Or should I let them through?
	if( httpRequest == null || httpResponse == null || user == null
){
		httpResponse.sendError( HttpServletResponse.SC_NOT_FOUND
);
		return;
	}

	try {
		// At this point we have user name in 'user' and request
URI
		// in 'requestURI'. Make sure that this user has rights
to
		// get this document and set authorized to true, if
(s)he has.

		authorized = ...

	} catch( Exception e ){
	}

	if( !authorized ){
		httpResponse.sendError( HttpServletResponse.SC_NOT_FOUND
);
		return;
	}

	// Pass control on to the next filter
	chain.doFilter( request, response );
}

with best wishes,
Taavi



--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message