tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: combination of RemoteAddrValve und basic authentication
Date Tue, 27 Sep 2011 11:40:55 GMT
Remon Sadikni wrote:
> Hi André, hi Christopher,
> thanks for your answers.
>> The use of HTTP BASIC authentication confuses things here because of
>> the credential transfer mechanism (HTTP headers). I suppose you could
>> write a Valve that sniffs the user's IP address and then adds HTTP
>> headers to the request for the "Authentication" header to essentially
>> force a login. You'll have to decide what the user's Principal will
>> need to look like (because Tomcat will actually try to /verify/ the
>> fake-user's credentials and maintain a "login" for them, running
>> proper authorization checks, etc.) in order to actually work.
> I think I will try this. Are there any tutorials for writing a Valve? I 
> am a Java programmer but new to Valves.

I am not really a Java programmer, so what I say below may be wrong, and should be 
confirmed by a better guru.

The reason why I was mentioning further complexity for the Valve solution, is that as far

as I know, the HttpServletRequest object is "immutable" (iow read-only), as it is 
received.  So you cannot just take the incoming HttpServletRequest, and if the IP address

matches, add a "fake" "Authorization:" header to it with some generic user-id/password.
You will have to wrap the original HttpServletRequest into a custom HttpServletRequest 
wrapper, (a la "class CustomRequest extends HttpServletRequestWrapper"), add the fake 
header there, and forward this CustomRequest instead of the original for further 
processing. In the wrapper class, you also have to override whichever method the Tomcat 
Basic authentication mechanism uses to retrieve the additional "Authorization:" header.
(getHeaderNames, getHeader, getHeaders,..)

At least, that is what I had to do the last time I wrote some Tomcat authentication code 
as a Servlet Filter.  Maybe for a Valve, the situation is different.
Maybe for a seasoned Java programmer this is all a piece of cake; but as for me I had to 
find out the above the hard way, and it was all a bit of a challenge.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message