tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Franck Borel <>
Subject Re: is it possible to determin the requested resource when using realm authentication?
Date Mon, 03 Apr 2006 09:25:58 GMT
Hi Jay,

> I believe that I already know the answer to this.  But, if possible,
> it would be nice to have some confirmation.
> I have an application that uses JAASRealm for authentication.  Within
> my LoginModule class, is it possible to determine which resource the
> user is currently trying to access?
> My current interpretation of the documentation is that the
> authentication module simply knows who you are and what your
> credential (password) is.  Upon successful authentication, the module
> returns with success/fail and the roles associated with that user. 
> It's then up to the application itself to determine if the user's role
> has access to the requested resource.  (this is usually declaratively
> stated, either through the web.xml configuration, or the struts
> configuration).
The only way I know to read any user informations in the JAASRealm, is 
to intercept the user request. Unfortunately there is only one location 
where you can do this, without change any classes in the catalina.jar. 
Look at the RealmBase class. There is a method called 
'SecurityConstraint'. This method has a request parameter that you can 
intercept with 'this.request = request'. Now, you are able to get all 
user information and determine which resource the user currently trying 
to access.
Pass the parameter to the upper class like this:

return super.findSecurityConstraints((request, context);

Rewrite the JAASRealm call it like you want, save it with all other 
classes you need (login.class ....) and put the jar file under 
Change your entry in your server.xml:

Realm className      = "<your JAAS class name>"

Restart Tomcat.

-- Franck

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message