tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: interaction between .forward() and <security-constraint>
Date Thu, 09 Sep 2010 18:47:55 GMT
Hash: SHA1


On 9/4/2010 11:42 AM, Brian McBride wrote:
> On 04/09/2010 15:27, Jason Britton wrote:
>> I would look at a servlet filter to provide this sort of dynamic access
>> control.
> That's what I'm doing.  The filter needs to know the user id - and I was
> hoping to resuse Tomcat's authentication mechanism for that.  But I
> don't think I can :(

Here's something you can do. Write a filter that you attach to URLs that
/are/ used for authentication, and then copy the user's username into
the session.

In your authentication filter, use the username stored in the session
instead of calling request.getRemoteUser.

Alternatively, you can wrap the request in your own wrapper and override
getRemoteUser to get the username from the session if it's not available
from the request.

I'm sure there are some edge cases where an authenticated user might end
up looking like a "guest", but you cna probably solve those. If you
always use HTTP Authentication (it wasn't clear what was really going
on, with all that talk about DIGEST authentication), then you can always
get the username from the request headers. In that case, your filter can
use that as a source of authentication data, too.

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message