tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Franck Borel <>
Subject Problems with JAAS-Realm
Date Fri, 21 Sep 2007 08:09:31 GMT

my problem is a bit complicate and I hope someone has enough courage to find an 
answer :-).

First I try to explain what I want to do:
I am running an JAAS-Realm with FORM authentication. As known this can only 
passes username and credential. Now, I was trying to pass the current IP address 
of the user too. The only solution that I found was to overwrite the 
org.apache.catalina.realm.JAASRealm class and catch the IP address of the user 
using one of the methods which provide a request object, like this.

  public SecurityConstraint[] findSecurityConstraints(Request request, Context 
context) {
         HttpServletRequest req = request;    // catch Request
         session = req.getSession();          // catch session
         ipAddress = req.getRemoteAddr();

The problem:
In a first try this seems to work. But if more then one client try to use the 
authentication, it catches the last IP address of the user who makes a request 
and not the IP address of the current client I like to authenticate:

1) client A sends a request to the protected site
2) client A authenticate with username/password
3) At the same time client B sends a request to the protected site
4) JAASRealm will be started and calls req.getRemoteAddr()
5) JAASRealm gets the IP address from client B

So, the req.getRemoteAddr() seems to catch the information outside of the 
current thread and I don't know why. Have someone an idea?


-- Franck

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message