tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: simple authentication question
Date Thu, 21 Feb 2013 11:31:27 GMT
Christopher Schultz wrote:
> Hash: SHA256
> André,
> On 2/20/13 4:20 PM, André Warnier wrote:
>> In relation to a couple of recent posts, I have a naive question :
>> In a servlet, to retrieve the authenticated user-id (if any), I
>> use
>> String userName = request.getRemoteUser();
>> Now, suppose I wanted to create a servlet filter which (under
>> certain conditions), would force the current request to be
>> authenticated as user "someuser", how would I do that ?
>> I s'pose it would too much to ask that it would just be
>> request.setRemoteUser("someuser");
> As long as you only want to "trick" some filter or servlet
> further-down from your own, you can install a filter that:
> 1. Wraps the request with an HttpServletRequestWrapper which...
> 2. overrides getRemoteUser() to return whatever you want it to return.
> If you have to pull the wool over the eyes of a Valve, you'll have to
> write a Valve and install it at a suitably-early in the pipeline.

Mark Thomas wrote:
 > Almost, but you need to use a method that actually exists in the API.
 > HttpServletRequest.login(String username, String password)

So it does not appear so easy after all.

To Mark : why "password" ?
To Chris : why is that so complicated ?

In my idea, this thing consisted simply in "stuffing" a user-id in the userPrincipal 
object associated to the current request.  I don't really need a password, do I ? I do not

really want this to run again through any real authentication mechanism; I know that 
whetever user-id I put in there is "valid enough".
I know that the Request itself is not modifiable, but the place where the associated 
user-id is stored is not directly in the Request, or is it ?

The idea is for example (as in a recent post to the list) : the servlet filter checks that

the request is coming from the internal network. If so, we can just set the user-id to 
"internal" and let it through.  Otherwise, we return a 401 or a login page e.g.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message