tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig Berry" <Craig.Be...@portblue.com>
Subject RE: Realm
Date Mon, 26 May 2003 02:34:28 GMT
The trick is to set up your web.xml and login-config.xml to protect the servlets which should
require login.  Then the configured authentication mechanism (basic, form, whatever) will
automatically intercept non-logged-in user access, do the login, and put the authenticated
Principal information into the request where your servlet can get it using the method I mentioned.
 
Once you have that user name, your servlet can use it to look up whatever other information
is needed and put it in the session (or whatever).  Using a servlet filter for this purpose
is often even better; that way you can have all your login post-processing logic in one place
for many different protected resources.

	-----Original Message----- 
	From: Paul Hsu [mailto:hsu.paul@verizon.net] 
	Sent: Sun 5/25/2003 10:42 AM 
	To: Tomcat Users List 
	Cc: 
	Subject: Re: Realm
	
	

	Craig,
	
	Thank you for your help.
	You are correct I don't need to grab the password. You mean I just need to
	write a servlet and catch the user name from request and get all user
	information and save them in session. But how can I ask Realm to call my
	servlet after Tomcat do the authentication. I like to do same thing as
	www.datek.com website do. This web site can pull your account information
	after you log in.
	
	thanks,
	
	Paul
	----- Original Message -----
	From: "Craig Berry" <Craig.Berry@portblue.com>
	To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>;
	<tomcat-user@jakarta.apache.org>
	Sent: Saturday, May 24, 2003 9:53 PM
	Subject: RE: Realm
	
	
	> The username can be obtained using the HttpServletRequest.getUserPrincipal
	method (see
	http://java.sun.com/j2ee/sdk_1.2.1/techdocs/api/javax/servlet/http/HttpServl
	etRequest.html).  See the Principal doc on how to get the username string
	from the returned Principal object.
	>
	> In general, if you're going to use JAAS authentication, it's wise to
	design your app so that it doesn't need to know the logged-in user's
	password.  None of the standard authenticators put it anywhere conveniently
	accessible, and for good reason; the less code involved in handling
	passwords, the fewer places there are for a security exploit to grab it.  If
	you really need to get the password to your own code, you'll need to write a
	custom JAAS authenticator that does what you need.
	>
	>
	> -----Original Message-----
	> From: Paul Hsu [mailto:hsu.paul@verizon.net]
	> Sent: Sat 5/24/2003 9:39 PM
	> To: tomcat-user@jakarta.apache.org
	> Cc:
	> Subject: Realm
	>
	>
	>
	> Hi,
	> I am using Tomcat Realm to authenticate user to access web site. I have
	one question is how can I catch the user name/password after tomcat server
	authenticate user (Tomcat will pop up a authenticate screen)? Any help would
	be appreciated.
	>
	> Paul
	>
	>
	
	
	---------------------------------------------------------------------
	To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
	For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
	
	

Mime
View raw message