tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shapira, Yoav" <Yoav.Shap...@mpi.com>
Subject RE: SessionListener
Date Tue, 02 Dec 2003 14:13:05 GMT

Howdy,

>Basic authentication.  I figured it wouldn't be hard with Form
>authentication, but I'm using basic in order to match the look and feel
of
>the rest of the site.

OK, so you have basic authentication. Do you have a security-constraint
defined in web.xml?  A login-config?  You can let tomcat do the
authentication for you, and then use the HttpServletRequest methods
(getRemoteUser, getUserPrincipal, isUserInRole).  This is a standard,
easy, portable way, and you don't have to write any custom tomcat code.
Your webapp will not have access to the user's password, but you won't
need it either since the container will authenticate it for you.

Does that fill your needs?

Yoav Shapira

>
>Yeah, saw the same problem with Basu's implementation, though I did
like
>the idea.
>
>Justin
>
>-----Original Message-----
>From: Shapira, Yoav [mailto:Yoav.Shapira@mpi.com]
>Sent: Tuesday, December 02, 2003 9:00 AM
>To: Tomcat Users List
>Subject: RE: SessionListener
>
>
>
>Howdy,
>Senor Basu, your solution is seriously not thread-safe.  But that's for
>you to worry about it, maybe it's good enough for your needs ;)
>
>As for Senor Hart's questions:
>- HttpSessionListener goes in web.xml, as do all other Servlet
>Specification listeners.
>- SessionListener goes in server.xml, as do all other Tomcat-specific
>listeners.
>
>SessionListener is not tied to HttpSessionListener or HttpSession
>directly.  You have to do a series of casts.  The event object in the
>SessionListener's SessionEvent is a catalina-specific Session
>implementation.  It will also implement the HttpSession interface.  So
>you can get from one to another by casting, but it's ugly (as is the
>whole SessionListener solution).
>
>Let's step back a minute: you have this whole hassle because you want
>the user's password.  You want the user's password in order to
>authenticate the user.  But with the getUserPrincipal approach, the
user
>is already authenticated if the Principal is not null.  Alternatively,
>if you have some input screen where the user enters the username and
>password, grab them there instead of from the session.  I think what's
>missing here is the big picture: tell us what you're trying to do, what
>authentication mechanism you're using, and let's forget about the
>tomcat-specific hacks for a minute ;)
>
>Yoav Shapira
>Millennium ChemInformatics
>
>
>>-----Original Message-----
>>From: Atreya Basu [mailto:atreya@greenfieldresearch.ca]
>>Sent: Monday, December 01, 2003 4:37 PM
>>To: Tomcat Users List
>>Subject: Re: SessionListener
>>
>>Hi,
>>
>>Here is how I use the HttpSessionListener.
>>
>>First I create a Class that implements HttpSessionListener:
>>package com.gri.web;
>>import javax.servlet.http.*;
>>public MySessionListener implements HttpSessionListener
>>{
>>   private static int num_sessions = 0;
>>   private HttpSession session = null;
>>
>>   public void sessionCreated(HttpSessionEvent se)
>>    {
>>        num_sessions++;
>>        session = se.getSession();
>>    }
>>    public void sessionDestroyed(HttpSessionEvent se)
>>    { num_session--;}
>>    public static int getNumSessions() {return num_sessions; }
>>     public static HttpSession getLastSession() { return session;}
>>}
>>
>>Now include this in the web.xml for your context (directly after
>>filter&filter-mapping but before Servlet element):
>>
>>|<listener>|
>>|||  <listener-class>com.gri.web.MySessionListener</listener-class>
>></listener>||
>>
>>now all you have to do is create a JSP:
>><jsp:root xmlns:jsp="http://java.sun.com/JSP/Page">
>><jsp:directive.page import="com.gri.web.*" />
>><jsp:text>
>><html>
>><body>
>>|Last user in session:
>></jsp:text>
>><jsp:expression>
>>MySessionListener.getLastSession().getAttribute("j_username")
>></jsp:expression>
>>|<jsp:text>
>>|Username of current person
>></jsp:text>
>><jsp:expression>
>>session.getAttribute("j_username")
>></jsp:expression>
>>|</jsp:root>
>>
>>|</body>
>></html>
>></jsp:root>
>>Hart, Justin wrote:
>>
>>>Ok, still, I haven't found any documentation on how to add a
>>SessionListener in the server.xml file, and adding one using the
>listener
>>tags defined for web.xml files doesn't seem to work.
>>>
>>>I also haven't seen how to get a user's credentials from a
>HttpSession, or
>>how to get a Session from an HttpSessionListener.  Could you throw me
a
>>bone?
>>>
>>>Justin
>>>
>>>-----Original Message-----
>>>From: Shapira, Yoav [mailto:Yoav.Shapira@mpi.com]
>>>Sent: Monday, December 01, 2003 2:52 PM
>>>To: Tomcat Users List
>>>Subject: RE: SessionListener
>>>
>>>
>>>
>>>Howdy,
>>>A SessionListener of the org.apache.catalina variety would go in the
>>>same place as all tomcat-specific features:
>>>$CATALINA_HOME/conf/server.xml.  That means the class specified there
>>>must be accessible to the server classloaders, i.e. must reside in
>>>common/lib or higher on the classloader hierarchy.
>>>
>>>The above is true for Valves, Realms, Listeners, etc, that are
>>>proprietary to tomcat.
>>>
>>>Yoav Shapira
>>>Millennium ChemInformatics
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Hart, Justin [mailto:JHart@sfa.com]
>>>>Sent: Monday, December 01, 2003 11:53 AM
>>>>To: Tomcat Users List
>>>>Subject: RE: SessionListener
>>>>
>>>>Ok, so, the listener in there must implement HttpSessionListener,
>where
>>>>
>>>>
>>>can
>>>
>>>
>>>>I use SessionListeners?
>>>>
>>>>Justin
>>>>
>>>>-----Original Message-----
>>>>From: Hart, Justin
>>>>Sent: Monday, December 01, 2003 11:34 AM
>>>>To: Tomcat Users List (E-mail)
>>>>Subject: SessionListener
>>>>
>>>>
>>>>My SessionListener doesn't seem to be firing, any help?
>>>>
>>>>I have a SessionListener that I want to go off when a user
>>>>
>>>>
>>>authenticates to
>>>
>>>
>>>>my web app (this is a correct usage, right?)
>>>>
>>>>So, in the web.xml of my app, I would put the lines:
>>>>
>>>><web-app>
>>>>	<listener>
>>>>		<listener-class>
>>>>			the class
>>>>		</listener-class>
>>>>	</listener>
>>>></web-app>
>>>>
>>>>This should fire off when the user signs in to the page, correct?
>>>>
>>>>Justin
>>>>
>>>>--------------------------------------------------------------------
-
>>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>>
>>>>
>>>>--------------------------------------------------------------------
-
>>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>This e-mail, including any attachments, is a confidential business
>>communication, and may contain information that is confidential,
>>proprietary and/or privileged.  This e-mail is intended only for the
>>individual(s) to whom it is addressed, and may not be saved, copied,
>>printed, disclosed or used by anyone else.  If you are not the(an)
>intended
>>recipient, please immediately delete this e-mail from your computer
>system
>>and notify the sender.  Thank you.
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>
>>--
>>____________________________________
>>Developer
>>Greenfield Research Inc.
>>atreya(AT)greenfieldresearch(DOT)ca
>>(902)422-9426
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
>
>This e-mail, including any attachments, is a confidential business
>communication, and may contain information that is confidential,
>proprietary and/or privileged.  This e-mail is intended only for the
>individual(s) to whom it is addressed, and may not be saved, copied,
>printed, disclosed or used by anyone else.  If you are not the(an)
intended
>recipient, please immediately delete this e-mail from your computer
system
>and notify the sender.  Thank you.
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




This e-mail, including any attachments, is a confidential business communication, and may
contain information that is confidential, proprietary and/or privileged.  This e-mail is intended
only for the individual(s) to whom it is addressed, and may not be saved, copied, printed,
disclosed or used by anyone else.  If you are not the(an) intended recipient, please immediately
delete this e-mail from your computer system and notify the sender.  Thank you.


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message