tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Evans <>
Subject Re: Alternatives to J2EE Authentication
Date Fri, 27 Feb 2004 04:31:18 GMT
Having just researched this, here's what i found. 
Using a javax.servlet.Filter works very well.
As you say, You check the session for an attribute value that indicates
authentication. in its absence you use a RequestDispatcher to 
forward to a login servlet which checks for four cases:
1. no request parameters, display logon form
2. invalid request parameters, display errors
3. unable to authenticate with valid parameters, display error
4. parameters authenticate, forward to home page
Thanks to Rick Bay on the struts-users list for this idea.
along with option 3 on this email.

This is a fully featured, xml file configurable filter 
that i will eventually use as my solution:

but for fun and understanding i wrote (cut and pasted bits from the web
really) this one, as a test:

public final class AuthFilter implements Filter {

  public void doFilter(ServletRequest request, ServletResponse response,
                       FilterChain chain)
	throws IOException, ServletException {

     boolean auth = false;

     if (request instanceof HttpServletRequest) {
	HttpSession session = 
	String path = ((HttpServletRequest) request).getPathInfo();
	Boolean authAttr = 
                (Boolean) session.getAttribute("authenticated");
	if (authAttr != null) auth = authAttr.booleanValue();
     if (auth) {
        chain.doFilter(request,  response);
     else {
        RequestDispatcher dispatcher =
	dispatcher.forward (request, response);


Hope that helps.


On Thu, 2004-02-26 at 18:19, Steven J. Owens wrote:
> Hi folks,
>      The most common (and frustrating) bookmarked login page gotcha
> with J2EE authentication has been oft-discussed (broken as designed)
> on this list.  
>      What are people's favorite alternatives to J2EE authentication?
> And why?
>      Something I'm particularly interested is alternatives that don't
> require me to rebuild the application from scratch.  I'm looking at
> tearing out the old login process and putting in a new one and I don't
> really want to start the whole thing over.  
>      If I had to build it from scratch myself, I'd do it as a simple
> Servlet filter that checks for a Principal object stored in the user's
> HttpSession.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message