tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Using IP and Auth Constraints together
Date Fri, 15 May 2009 11:36:32 GMT
Shashank Rachamalla wrote:
> Hi!
> Is there any way to configure <security-constraint> for a webapp to
> disable authentication and authorization for a particular IP address and
> enable it for all other IP addresses.
Probably not, since I doubt that this is foreseen by the Servlet 
But I can think of a way, subject to confirmation by an expert on this 
list :

You could write a simple servlet filter, which checks the caller's IP 
address, and if it matches, sets the user-id in the session to some 
pre-determined value.
It is possible that when the authentication code finds out that there is 
already a user set, it would just return OK and let the call through.
And for your application code, it would be easier to deal with a case 
where there is always a user-id (even if one is a dummy), than have to 
deal with some cases where it is not set, no ?

What I am not quite sure of, is whether a filter runs early enough to 
precede the authentication part, or not.
I guess if not, then you would have to implement this as a Valve.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message