tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Larry Meadors <larry.mead...@gmail.com>
Subject Re: Capturing User Passwords
Date Thu, 29 Sep 2005 03:00:53 GMT
Here is the code (this is for tomcat 4.1.x):

       if(log.isDebugEnabled()){
           Principal principal = req.getUserPrincipal();
           PropertyDescriptor[] pds;
           pds = PropertyUtils.getPropertyDescriptors(principal.getClass());
           for(int i = 0; i < pds.length; i++){
               try {
                   String name = pds[i].getName();
                   Object value = PropertyUtils.getProperty(principal, name);
                   log.debug("pds." + name + " = " + value);
               } catch (Exception e) {
                   e.printStackTrace();
               }
           }
       }

Larry


On 9/28/05, post@gregperry.co.uk <post@gregperry.co.uk> wrote:
>
>
>
> I am trying to find a way of capturing a user's password so that I can have
> the user login to one of my web applications (which acts as a client), and
> pass it to a second application (which acts as the server).
>
> I know that I can retrieve the user from the ServletRequest using
> req.getUserPrincipal(). However, I do not know how I can retrieve the
> password.
>
> Can anyone offer any advice on whether this can be done and if so, the best
> way of doing it?
>
> [ I did attempt to use forms-based authentication and use a filter to
> capture the password whenever the j_security_check action was invoked.
> However, I read in another post that Tomcat does not allow filters to be
> placed on j_security_check. ]
>
> Once I have the password, I'd ideally be looking at converting it to a
> Credentials object, so that I could pass that to my second app, rather than
> passing the raw password. Does anyone know whether this can be achieved by
> using Tomcat's UserPasswordCredentials class?
>
> Also, to prevent the password been exposed in the URL posted from the login
> page, I'd also be looking to implement SSL. I presume that this will cause
> encryption problems. Does anyone have any advice about how I  could work
> around this?
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail:
> tomcat-user-help@jakarta.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message