As for authorization, there is a Valve called NonLoginAuthenticator
http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/authenticator/NonLoginAuthenticator.java?rev=1.3&content-type=text/vnd.viewcvs-markup
which trusts the surrounding container (IIS, apache, ...) and I *think* it will perform the authorization constraints as defined in web.xml. Be careful with this Valve since (i guess) it ignores the login constaints in web.xml such as BASIC, and FORM. It may also ignore other security constraints too such as requiring HTTPS.
I remember a thread a long time ago that if you place a Valve in the pipeline that implements Authenticator then tomcat will not put any other Authenticator related code into the pipeline automagically (such as requiring FORM or BASIC authorization).
I haven't had time to play with this Valve yet, but give a it a whirl, you might find out that all the code was already written, just not documented :(
I hope Bill is lurking, I pretty sure he was in on that thread o so long ago.
-Tim
Pitre, Russell wrote:
It sounds like we should come up with a de facto way of achieving SSO with Tomcat and NTLM (since there is plenty of M$ workstations out there).....Which leads me to believe that a lot of people could very well benefit from this...... I'm required to implement this for our intranet application which I have found to be the most common need for such an implementation..........
I will investigate further into these methods and report back with any comments, suggestions, and if I need any further help (which will probably be the case).....After which, I will try to get some documentation......
Any thoughts, suggestions, comments?
Cheers Russ
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
