tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: simple authentication question
Date Thu, 21 Feb 2013 11:31:27 GMT
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> André,
> 
> On 2/20/13 4:20 PM, André Warnier wrote:
>> In relation to a couple of recent posts, I have a naive question :
>>
>> In a servlet, to retrieve the authenticated user-id (if any), I
>> use
>>
>> String userName = request.getRemoteUser();
>>
>> Now, suppose I wanted to create a servlet filter which (under
>> certain conditions), would force the current request to be
>> authenticated as user "someuser", how would I do that ?
>>
>> I s'pose it would too much to ask that it would just be
>>
>> request.setRemoteUser("someuser");
> 
> As long as you only want to "trick" some filter or servlet
> further-down from your own, you can install a filter that:
> 
> 1. Wraps the request with an HttpServletRequestWrapper which...
> 2. overrides getRemoteUser() to return whatever you want it to return.
> 
> If you have to pull the wool over the eyes of a Valve, you'll have to
> write a Valve and install it at a suitably-early in the pipeline.
> 
Well,

Mark Thomas wrote:
 >
 > Almost, but you need to use a method that actually exists in the API.
 >
 > HttpServletRequest.login(String username, String password)
 >

So it does not appear so easy after all.

To Mark : why "password" ?
To Chris : why is that so complicated ?

In my idea, this thing consisted simply in "stuffing" a user-id in the userPrincipal 
object associated to the current request.  I don't really need a password, do I ? I do not

really want this to run again through any real authentication mechanism; I know that 
whetever user-id I put in there is "valid enough".
I know that the Request itself is not modifiable, but the place where the associated 
user-id is stored is not directly in the Request, or is it ?

The idea is for example (as in a recent post to the list) : the servlet filter checks that

the request is coming from the internal network. If so, we can just set the user-id to 
"internal" and let it through.  Otherwise, we return a 401 or a login page e.g.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message