tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Neville Peter <>
Subject Re: JAAS getRemoteUser security custom
Date Wed, 19 May 2010 09:25:47 GMT

I'm still not satisfied with the options so far and I'm sure I do not fully understand it:

Although the valve works in that I can set the principal on the catalina request, realm.authenticate("username","credentials")
within the valve is not actually passing anything to my JAAS login module although the login
module is being used. Therefore, I can not currently authenticate the user within the JAAS
module correctly as there appears to be no data passed from the valve. Also, if I use the
valve then what is the point of the servlet using LoginContext.login()?

If I choose not to use a valve then I appear to not have any access to the request object
within JAAS. 
Even if I use org.apache.catalina.realm.JAASCallbackHandler, I do not get access to the request.
So how are you able to add the principal to the request like you can do with the valve?

SecurityFilter not an option as it does not support SSO.

Thanks for the comments so far.

> Using a Valve will give you access to the the internal
> model of the
> request, so you can set Principals etc.
> I had the impression that a full JAAS implementation gave
> you access to
> the request and enabled the use of a Realm, but maybe it
> isn't what you
> need.
> The SecurityFilter project might be worth a look, before
> you commit to
> rolling your own.
> p


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message