tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig Berry" <Craig.Be...@portblue.com>
Subject RE: Customizing login system in Tomcat ?
Date Mon, 14 Apr 2003 22:27:07 GMT
It's rather frustrating.  I have my jboss/tomcat webapp configured to
use Forms authentication, using a database authenticator, and that works
wonderfully.  The resulting user sessions are both persistent across
servlet requests and work for accessing protected EJBs using the same
authenticator.  On the other hand, I can programmatically create a user
identity (using LoginContext against the ClientLogin authenticator)
which behaves exactly the same within a single servlet request in terms
of accessing EJBs, but does not persist across session requests.  If I
could only do both at the same time -- programmatic creation and
multi-request persistence -- I'd be in great shape.  As it stands, I'm
going in circles.  Help, please, anyone?

-----Original Message-----
From: Erik Price [mailto:eprice@ptc.com] 
Sent: Monday, April 14, 2003 12:14 PM
To: Tomcat Users List
Subject: Re: Customizing login system in Tomcat ?


I am just now reading in the Servlet 2.3 specification that J2EE 
compliant web containers are required to propagate a user's role to the 
EJB invocations.  It is in section 12.7.  However, this probably will 
not work with your system since it is not handled at the container 
level.  You would have to adjust your webapp to accommodate this system.

I did not find mention in the specification of a way to use a database 
rather than a deployment descriptor file to provide the list of users, 
passwords, and roles.


Erik



Craig Berry wrote:
> That would certainly work, but I there a way to do it that integrates 
> more cleanly to JAAS, so that the authenticated identity more 
> naturally distributes to Jboss EJB calls, just for example?
> 
> -----Original Message-----
> From: Shapira, Yoav [mailto:Yoav.Shapira@mpi.com]
> Sent: Monday, April 14, 2003 7:12 AM
> To: Tomcat Users List
> Subject: RE: Customizing login system in Tomcat ?
> 
> 
> 
> Howdy,
> You'll need some sort of a token, e.g. a cookie on the user's PC or an

> object in the user's session, to identify the fact the user has been 
> authenticated.  Since you don't want to modify the HTML pages 
> themselves, you can use a Filter-based approach:
> - Write a Filter that processes all requested (i.e. its url-pattern is
> /*)
> - The filter checks the request (if using a cookie) or the session for

> the presence of the authenticated token
> - If token is present, do nothing (call doChain() to pass the request
> forward)
> - If token is absent, forward to your existing authentication servlet 
> giving the original request URL as an argument, so that the 
> authentication servlet can forward the user there when it's done 
> authenticating
> 
> Yoav Shapira
> Millennium ChemInformatics
> 
> 
> 
>>-----Original Message-----
>>From: Elodie Tasia [mailto:eta@informactis.com]
>>Sent: Monday, April 14, 2003 10:02 AM
>>To: tomcat-user@jakarta.apache.org
>>Subject: Customizing login system in Tomcat ?
>>
>>Hi,
>>
>>As I've been explained, I can use a Form based authentication in
> 
> Tomcat, so
> 
>>that the users can log in.
>>The problem is that I already have my login-system : it's a servlet
> 
> that
> 
>>ccess a database to verify the login/password and, if it's OK, that
>>redirect to another servlet. I would like to use the tomcat's 
>>authentication system IN my servlet,
> 
> so
> 
>>the user is identified and has not to login each time he accesses a
> 
> HTML
> 
>>page (but ONLY when he has logged in and not if he tries to access
> 
> thoses
> 
>>pages from any browser)...
>>
>>Is that possible without changing my html pages (because I can't do
> 
> that :
> 
>>my application is a portal where users can import any type of document
> 
> and
> 
>>visualite it), just modifying the access to the application ?
>>
>>
>>Thanx in advance and excuse me if I insist, but I searched during a
> 
> long
> 
>>time and didn't find any answer to my question on the web :o(
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> 
> 
> 
> This e-mail, including any attachments, is a confidential business 
> communication, and may contain information that is confidential, 
> proprietary and/or privileged.  This e-mail is intended only for the
> individual(s) to whom it is addressed, and may not be saved, copied, 
> printed, disclosed or used by anyone else.  If you are not the(an) 
> intended recipient, please immediately delete this e-mail from your 
> computer system and notify the sender.  Thank you.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message