1.Filter to go in web.xml
/**
* [EMAIL PROTECTED] javax.servlet.Filter Filter} to overide the
HttpServletRequest and
* overide isUserInRole() using the
* [EMAIL PROTECTED] com.ibt.framework.security.tomcat.HttpServletRequestWrapper
HttpServletRequestWrapper}
*
* @author Mark Benussi
*/
public class HttpServletRequestFilter implements Filter {
/**
* @see javax.servlet.Filter#destroy()
*/
public void destroy() {
}
/**
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
* javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
public void doFilter(ServletRequest request, ServletResponse
response,
FilterChain chain) throws IOException,
ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest)
request;
HttpServletRequestWrapper wrappedRequest = new
HttpServletRequestWrapper(
httpServletRequest);
chain.doFilter(wrappedRequest, response);
}
/**
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
*/
public void init(FilterConfig config) throws ServletException {
}
}
2. Request wrapper
/**
* Wraps the [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest
HttpServletRequest}
* @author Mark Benussi
*/
public class HttpServletRequestWrapper extends
javax.servlet.http.HttpServletRequestWrapper {
/**
* The original [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest
HttpServletRequest}
*/
private HttpServletRequest request = null;
/**
* Helper to manage any common security methods
*/
private static SecurityHelper jaasHelper = null;
/**
* Default constructor
*
* @param request
*The original [EMAIL PROTECTED]
javax.servlet.http.HttpServletRequest HttpServletRequest}
*/
public HttpServletRequestWrapper(HttpServletRequest request) {
super(request);
if (jaasHelper == null) {
jaasHelper = new SecurityHelper();
}
this.request = request;
}
/**
* @see
javax.servlet.http.HttpServletRequestWrapper#isUserInRole(java.lang.String)
*/
public boolean isUserInRole(String role) {
Subject subject = jaasHelper.getSessionSubject(request,
false);
return jaasHelper.isSubjectInRole(subject, role);
}
}
3. When you call youre LoginModule get the Subject and place in the session
and then write your own code to validate the Subject has the role required.
4. As for passing the session to your LoginModule, which I wouldn't do in a
puristic way as the LoginModule should be able to be used by a wing app just
as much as a web app.
Contstruct a CallBackHandler with the username and password but also with
the session or request. Then in your loginmodule you will have access to the
request/session when you invoke handle callback
-Original Message-
From: Edmund Urbani [mailto:[EMAIL PROTECTED]
Sent: 16 August 2005 15:14
To: Tomcat Users List
Subject: Re: howto configure JAAS+SSO
Mark Benussi wrote:
Hi Edmund.
I am sorry but I don't know much about SSO.
However I can tell you about JAAS in Tomcat. In 5 certainly there are
issues. Essentially when you call the LoginModule to invoke your JAAS
config
it works but it does not authenticate the proper session Subject. What you
end up doing (Or what I did) was place a request filter in the app that
wraps the request with an overridden RequestWrapper and you write your own
inUserInRole against the Subject that the LoginModule returns (By placing
it
in the session)
If you want some code, taken from Wendy Smoak and others I can provide.
thanks.
I'm currently considering to write my own login module in order to share
authentication data across login contexts. i would need to access
session cookies from the module and i'm not sure how/if this can be done
yet.
i've never written a requestwrapper myself, so i can't really tell how
hard/complicated that would be. i'd be glad, if you could provide me
with some code to look at. that could certainly help me decide on how to
go on about that SSO requirement.
Edmund
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
