On Mar 21, 2009, at 11:49 AM, Jeff Schnitzer wrote:
> I have only spent a little while browsing through the Resin code, so
> apologies in advance if I'm misunderstanding something. I'd love to
> see something like:
> AbstractLogin.authenticate(HttpServletRequest request, Principal user,
> String credential) throws LoginException
> I just need any method that takes a user and password, checks it
> against the normal authentication SPI, and (if successful) registers
> the credentials to the container.
> I don't think I would need to customize the Login class. I wouldn't
> be using any of the j2ee standard auth mechanisms, just programmatic
> authentication, so I'm guessing I could have a BasicLogin and just
> never use it. As long as I can call the auth method from my normal
> webapp I'll be fine.
Right. That's a logical thing to add. The bug report is
I'm not sure yet if it belongs in Login. It might.
> BTW we are porting the opensource SubEthaMail over to Resin right now
> (http://subetha.tigris.org/). If we succeed, you might want to use it
> for this mailing list!
Very cool! We can take a look when it's ready.
> On Fri, Mar 20, 2009 at 10:15 AM, Scott Ferguson <f...@caucho.com>
>> On Mar 19, 2009, at 8:30 PM, Jeff Schnitzer wrote:
>>> The problem is, j2ee automatic authentication is nearly useless.
>>> It doesn't allow for autologin cookies nor does it allow me to
>>> sign up
>>> new users - they would have to then log in again. It blows my mind
>>> that a decade later the servlet spec hasn't addressed these simple
>> Yep. Almost as bizarre as not having multipart/mime (upload)
>> Resin 4.0 has refactored Resin's login/authentication (because our
>> model really didn't make much sense.)
>> The new Login handles servlet/http interaction and the Authenticator
>> handles pure user/credentials (the old model mixed the two concepts
>> into the old ServletAuthenticator.) So, the capabilities you're
>> looking for would be added to a Login class. I don't know if you're
>> looking for customizing the Login, or if you want a more general
>> capability in our AbstractLogin.
>> Since the new configuration uses Java DI, your application can grab
>> the login. The configuration looks like:
>> And then you could use
>> @Current AbstractLogin _login;
>> @Current BasicLogin _login;
>> (At present, the Login interface itself wouldn't be useful from a
>> programmatic standpoint, while we could add methods to
>> -- Scott
>>> I need a way, in my web app, to programmatically say to the
>>> "authenticate as this user/pass". Then these credentials will be
>>> for further calls into the EJB tier or for responding to
>>> HttpServletRequest.isUserInRole() calls. Of course at the SPI level
>>> these will end up calling into my Resin Authenticator.
>>> This is a pretty common problem, there must be a Resin way to do it.
>>> In JBoss5, it looks like this:
>>> SecurityClient securityClient =
>>> securityClient.setSimple("user", "password");
>>> On Thu, Mar 19, 2009 at 7:38 PM, Aaron Freeman <aaron.free...@layerz.com
>>>>> #2 is still a mystery to me. I'm in a servlet, how do I
>>>>> programmatically tell the container to "log me in" with a username
>>>> This page has a good overview of how to do it:
>>>> So you set up your security constraints in your resin.xml and
>>>> a custom authenticator inside the login-config. The create your
>>>> authenticator by AbstractAuthenticator.
>>>> Note the code in the example is referencing:
>>>> com.caucho.server.http.AbstractAuthenticator but I think you want
>>>> extend com.caucho.server.AbstractAuthenticator instead, as I think
>>>> .http. version is deprecated.
>>>> - Aaron
>>>> resin-interest mailing list
>>> resin-interest mailing list
>> resin-interest mailing list
> resin-interest mailing list
resin-interest mailing list