I'm using a filter for the same thing, and i can tell you something....
it is blazingly fast, flexible, standard and, in most cases, portable (Filters are part of the Servlet spec.). So, your best option for your custom authorization/authentication would be the filters..... besides.... my authentication filter that uses database tables to grant some functionality to the users on my system works like a charm with 55 lines of code (lots of boilerplate).... with the "Modifying servlet" approach.... i'm really stressing on this list how cumbersome, unportable and generally unaceptable is modifying tomcat without a good reason, because there are so many options out there, and believe me, we aren't reinventing the wheel...
In case you're lazy, i'm posting my filter class.... it isn't great.... but does the work.... (Everything in spanish :-D)
///////////// Code Begins Here ///////////////// /* * Creado el 20-may-2004 * * (c) 2004, Computadores Flor Hard Soft 2058 C.A. * ---- Caracas, Venezuela ---- */ package com.florhard.motrum.filtros;
import java.io.*;
import javax.servlet.*; import javax.servlet.http.*;
/**
* @author John Villar
* Filtro para no permitir que el usuario realice acciones en el sistema sin haber hecho login
*/
public class FiltroLogin implements Filter {
public void init(FilterConfig arg0) throws ServletException {
// nada
} public void doFilter(
ServletRequest request,
ServletResponse response,
FilterChain chain)
throws IOException, ServletException { HttpServletRequest httpr = ((HttpServletRequest) request);
String sURI = httpr.getServletPath();com.florhard.motrum.beans.Sesion sesion =
(com.florhard.motrum.beans.Sesion) httpr.getSession().getAttribute(
"objeto_sesion");
boolean condicionIndex = sURI.indexOf("/index.jsp")==0;
boolean condicionVerifica = sURI.indexOf("/verificarClave.jsp")==0;
boolean condicionRoot = sURI.equals("/");
boolean condicionSesion = (sesion != null) && (sesion.isLogeado());
if (condicionIndex || condicionVerifica || condicionRoot || condicionSesion) {
chain.doFilter(request, response);
} else {
((HttpServletResponse) response).sendRedirect(
httpr.getContextPath()+"/errorInicioSesion.html");
return;
}
}
public void destroy() {
// nada
}} ///////////// Code Ends Here ///////////////////
If anyone does find a vulnerability here, i would be glad to receive your observations on john.villar (at) florhard.com
Patrick Herber escribió:
Hi,
I need to implement a custom authorization for a web application, where the access to the different resources is defined inside a database table with some sort of rules, also using regular expressions.
I would like to know if the only method to do this is programmatically, implementing - for example - a "SecurityFilter", which catch every requests or extending the service() method the default Servlet of the application with the necessary code or if there is another "more standard" way to do it (perhaps using a Tomcat Valve or something similar).
Thanks a lot for your precious help. Best regards Patrick
Patrick Herber
Zürich (Switzerland)
-- John Villar Gerente de Proyectos Computadores Flor Hard Soft 2058 C.A. www.florhard.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
