tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "" <>
Subject Capturing User Passwords
Date Wed, 28 Sep 2005 13:29:04 GMT

I am trying to find a way of capturing a user's password so that I can have the user login
to one of my web applications (which acts as a client), and pass it to a second application
(which acts as the server).

I know that I can retrieve the user from the ServletRequest using req.getUserPrincipal().
However, I do not know how I can retrieve the password.

Can anyone offer any advice on whether this can be done and if so, the best way of doing it?

[ I did attempt to use forms-based authentication and use a filter to capture the password
whenever the j_security_check action was invoked. However, I read in another post that Tomcat
does not allow filters to be placed on j_security_check. ]

Once I have the password, I'd ideally be looking at converting it to a Credentials object,
so that I could pass that to my second app, rather than passing the raw password. Does anyone
know whether this can be achieved by using Tomcat's UserPasswordCredentials class?

Also, to prevent the password been exposed in the URL posted from the login page, I'd also
be looking to implement SSL. I presume that this will cause encryption problems. Does anyone
have any advice about how I  could work around this?

View raw message