tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Field-Elliot <>
Subject Re: JAASRealm/LoginManager questions
Date Thu, 13 Feb 2003 22:38:40 GMT
See my additional question at bottom:

On Sun, 2003-02-09 at 18:09, Craig R. McClanahan wrote:

    > However, a Filter (Servlet 2.3)
    > could parse this SAML
    > response, and re-package the request parameters as a j_username
    and a
    > j_password (even though, really, the j_username isn't a true
    > YET).
    Filters aren't going to help ... they run *after* the security
    constraints are evaluated, and *after* authentication has taken
    That's why you need to use a Valve instead (Authenticator extends
    to ensure that you run *before*.
    > THEN, (still with me?), a JAASRealm could forward this j_username
    > j_password to my LoginManager, for final SAML processing and log
    > bloke on.
    > It seems a little convoluted, but, what it buys me is, any Servlet
    > container which supports form-based authentication, and which
    > JAAS for realms (or equivalent), can harness this toolkit. I
    assume (but
    > have not verified) that this buys me into the major J2EE
    containers --
    > Weblogic, SunONE, Websphere, etc, in addition to my favorite
    > Does this sound like it would work?
    Ah, if only it would ... it would require a change to the servlet
    spec to
    allow filters to perform "container managed security"
    >From a container writer's point of view, I get a little uneasy
    about delegating this responsibility to an application -- but I can
    some use cases for it.

Craig, there is one subtle point I was trying to make, and I'm not sure
if you got it. I was NOT proposing that my Filter perform
container-managed sercurity authentications (as you went on to explain
was impossible). Instead, I was proposing that my Filter re-write the
request parameters of an incoming FORM-POST into the Servlet-standard
"j_username" and "j_password", and then Forward (or do I have to
Redirect?) to the "j_security_check" URI. 

My filter would be consuming the SAML response, munging it into other
parameters (j_username, j_password), and re-posting (or forwarding) to

This would let me use: (a) the standard FORM auth-method in web.xml,
(b), a standard Filter, and (c) a standard JAAS LoginModule, without
having to write any container-specific code (such as a Tomcat

The assumption I am making in order for this to work, is that the
Servlet spec will allow requests to appear in the middle of the
FORM-based authentication, AFTER the original form has been rendered to
the browser, but BEFORE a POST is made to "j_security_check".

With my slightly more detailed explanation, do you still assert that
this can't work, and that I have no choice (today) but to go to
container-specific extensions like Tomcat.Authenticator?

Thanks for hashing this out with me,


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message