1.Filter to go in web.xml /** * [EMAIL PROTECTED] javax.servlet.Filter Filter} to overide the HttpServletRequest and * overide isUserInRole() using the * [EMAIL PROTECTED] com.ibt.framework.security.tomcat.HttpServletRequestWrapper HttpServletRequestWrapper} * * @author Mark Benussi */ public class HttpServletRequestFilter implements Filter {
/** * @see javax.servlet.Filter#destroy() */ public void destroy() { } /** * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, * javax.servlet.ServletResponse, javax.servlet.FilterChain) */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpServletRequest = (HttpServletRequest) request; HttpServletRequestWrapper wrappedRequest = new HttpServletRequestWrapper( httpServletRequest); chain.doFilter(wrappedRequest, response); } /** * @see javax.servlet.Filter#init(javax.servlet.FilterConfig) */ public void init(FilterConfig config) throws ServletException { } } 2. Request wrapper /** * Wraps the [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest HttpServletRequest} * @author Mark Benussi */ public class HttpServletRequestWrapper extends javax.servlet.http.HttpServletRequestWrapper { /** * The original [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest HttpServletRequest} */ private HttpServletRequest request = null; /** * Helper to manage any common security methods */ private static SecurityHelper jaasHelper = null; /** * Default constructor * * @param request * The original [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest HttpServletRequest} */ public HttpServletRequestWrapper(HttpServletRequest request) { super(request); if (jaasHelper == null) { jaasHelper = new SecurityHelper(); } this.request = request; } /** * @see javax.servlet.http.HttpServletRequestWrapper#isUserInRole(java.lang.String) */ public boolean isUserInRole(String role) { Subject subject = jaasHelper.getSessionSubject(request, false); return jaasHelper.isSubjectInRole(subject, role); } } 3. When you call youre LoginModule get the Subject and place in the session and then write your own code to validate the Subject has the role required. 4. As for passing the session to your LoginModule, which I wouldn't do in a puristic way as the LoginModule should be able to be used by a wing app just as much as a web app. Contstruct a CallBackHandler with the username and password but also with the session or request. Then in your loginmodule you will have access to the request/session when you invoke handle callback -----Original Message----- From: Edmund Urbani [mailto:[EMAIL PROTECTED] Sent: 16 August 2005 15:14 To: Tomcat Users List Subject: Re: howto configure JAAS+SSO Mark Benussi wrote: >Hi Edmund. > >I am sorry but I don't know much about SSO. > >However I can tell you about JAAS in Tomcat. In 5 certainly there are >issues. Essentially when you call the LoginModule to invoke your JAAS config >it works but it does not authenticate the proper session Subject. What you >end up doing (Or what I did) was place a request filter in the app that >wraps the request with an overridden RequestWrapper and you write your own >inUserInRole against the Subject that the LoginModule returns (By placing it >in the session) > >If you want some code, taken from Wendy Smoak and others I can provide. > > > thanks. I'm currently considering to write my own login module in order to share authentication data across login contexts. i would need to access session cookies from the module and i'm not sure how/if this can be done yet. i've never written a requestwrapper myself, so i can't really tell how hard/complicated that would be. i'd be glad, if you could provide me with some code to look at. that could certainly help me decide on how to go on about that SSO requirement. Edmund --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]