tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Johannes Meyer <johannes.c.me...@gmail.com>
Subject Re: AJAX Authentification
Date Sat, 09 Feb 2013 17:07:49 GMT
I built a solution, that is working for me. The Servlet is doing a
login, copies the the authentication-data to the session and responds
with JSON-Data.

The problem with this solution is, that I have to access a private
member by using reflections, because the StandardSession-Object is
hidden with a Facade-Pattern.

It's very dirty, but perhaps it can help anyone.


	public void doPost(HttpServletRequest req, HttpServletResponse res)
throws ServletException, java.io.IOException {
		String username = req.getParameter("j_username");
		String password = req.getParameter("j_password");
		
		boolean success = false;
		String errortext = null;
		
		if (username!=null && password!=null) {
			try {
				// authenticate the current request
				req.login(username, password);							
				// attention! only the request is authenticated now
				
				try {
					// on org.apache.catalina.session.StandardSession we can set the
"UserPrincipal" from the current request
					// this object is private member of an instance of
'StandardSessionFacade'
					StandardSession tomcatSession = (StandardSession)
getPrivateField(req.getSession(), "session");
					
					// set the authentication-data to the session
					tomcatSession.setPrincipal( req.getUserPrincipal() );				
					tomcatSession.setAuthType(HttpServletRequest.BASIC_AUTH);
					tomcatSession.setNote(Constants.SESS_USERNAME_NOTE, username);
					tomcatSession.setNote(Constants.SESS_PASSWORD_NOTE, password);
									
					// OK
					Log(jafaLogger.LVL_INFO_LOW, "Login OK");
					success = true;
				}
				catch (Exception e) {
					success = false;
					errortext = "Error configuring session: " + e.getMessage();
					
					Log(jafaLogger.LVL_ERR_HIGH, errortext);
				}
			}
			catch (ServletException loginError) {
				success = false;
				errortext = loginError.toString();
			}
		}
		else {
			success = false;
			errortext = "Username or password missing";
		}
		
		
		
		res.setContentType("application/json");		
		JSONObject jsonElement = new JSONObject();
		
		try{
			jsonElement.put("success", success);
			
			if (!success && errortext!=null)
			{
				jsonElement.put("errortext", errortext);
			}
		}
		catch (JSONException jsonException){}
		
        PrintWriter out = res.getWriter();
        out.write(jsonElement.toString());
        out.flush();
        out.close();	
	}

2013/2/9 Jimmy Johnson <eclectic.sounds@gmail.com>:
> I had the same requirements and ended up using Spring security.  Although spring security
is no set up for ajax itself, you can make a filter that catches all ajax context after it
goes through the security class filters. Take a look here :
>
> http://static.springsource.org/spring-security/site/
>
>  If you think this is a solution for  you let me know and I can provide more details.
>
> Jimmy
>
> On Feb 8, 2013, at 8:35 AM, Johannes Meyer <johannes.c.meyer@gmail.com> wrote:
>
>> Hi Konstantin,
>>
>> thank you for answer.
>>
>>> HttpServletRequest.login(..) ?
>>> (in a Servlet 3.0 application)
>>
>> If I call this function, only the current request is authorized, but
>> not the whole session.
>>
>> Is there any solution to authorize the session?
>>
>> Thank you,
>> Johannes
>>
>> 2013/2/8 Konstantin Kolinko <knst.kolinko@gmail.com>:
>>> 2013/2/8 Johannes Meyer <johannes.c.meyer@gmail.com>:
>>>> Hello all,
>>>>
>>>> I'm developing a web application with asynchronous techniques (ExtJS).
>>>>
>>>> The most pages are secured with a "security-constraint", so the user
>>>> has to log in at first.
>>>>
>>>>
>>>> The users gets prompted a login dialog and can type in his username
>>>> and password. The data will be sent asynchronous to the server and the
>>>> user should be logged in.
>>>>
>>>> How can I implement it at best?
>>>>
>>>> I tried to work with FORM-authentication but it is not very elegant.
>>>>
>>>> Is there any solution to make an AJAX-Authentication?
>>>>
>>>> Or can I build a servlet, that logs the user in, without show him any dialogs?
>>>>
>>>
>>> HttpServletRequest.login(..) ?
>>> (in a Servlet 3.0 application)
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message