tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <>
Subject Re: JAAS getRemoteUser security custom
Date Tue, 18 May 2010 15:55:19 GMT
On 18/05/2010 15:42, Neville Peter wrote:
> The authentication will take place without any user intervention. For example, from a
request parameter or cookie value.
> BTW, I have just managed to get it to work by using a custom Valve that extends AuthenticatorBase
and uses my JAAS realm. The valve adds the principal to the request and this in turn allows
getRemoteUser() to work in the servlet.
> Is this the missing link between using JAAS and still supporting getRemoteUser()? Or
is there a standard way of doing this?

Using a Valve will give you access to the the internal model of the
request, so you can set Principals etc.

I had the impression that a full JAAS implementation gave you access to
the request and enabled the use of a Realm, but maybe it isn't what you

The SecurityFilter project might be worth a look, before you commit to
rolling your own.


>> Why is a callbackhandler not required?
>> p
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message