tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Field-Elliot <>
Subject Re: JAASRealm/LoginManager questions
Date Mon, 10 Feb 2003 01:22:18 GMT
On Sun, 2003-02-09 at 18:09, Craig R. McClanahan wrote:

    Ah, if only it would ... it would require a change to the servlet
    spec to
    allow filters to perform "container managed security"
    >From a container writer's point of view, I get a little uneasy
    about delegating this responsibility to an application -- but I can
    some use cases for it.

In my proposal, (contrary to what I read in your response), I wasn't
going to use the Filter to perform actual authentication. Instead, I was
going to use the filter, to re-write the SAML response
(request.getParameter("SAML...")) as standard form authentication
parameters (request.setParameter("j_username", xxx),
request.setParameter("j_password", yyy)). Then, these usernames and
passwords would be passed down to the JAAS layer where my LoginManager
can process them.

But as you say prior, the filters aren't even being run, apparently,
before the container evaluates j_username and j_password, so I guess I
have no Servlet-standard hook there. I guess it's off to the
Authenticator API I go. 

Heck, at least I can keep all the authentication logic in one place with
that strategy, as opposed to splitting it between a Filter and a

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message