Mark Benussi wrote:
1.Filter to go in web.xml
/**
* [EMAIL PROTECTED] javax.servlet.Filter Filter} to overide the
HttpServletRequest and
* overide isUserInRole() using the
* [EMAIL PROTECTED] com.ibt.framework.security.tomcat.HttpServletRequestWrapper
HttpServletRequestWrapper}
*
* @author Mark Benussi
*/
public class HttpServletRequestFilter implements Filter {
/**
* @see javax.servlet.Filter#destroy()
*/
public void destroy() {
}
/**
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
* javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
public void doFilter(ServletRequest request, ServletResponse
response,
FilterChain chain) throws IOException,
ServletException {
HttpServletRequest httpServletRequest = (HttpServletRequest)
request;
HttpServletRequestWrapper wrappedRequest = new
HttpServletRequestWrapper(
httpServletRequest);
chain.doFilter(wrappedRequest, response);
}
/**
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
*/
public void init(FilterConfig config) throws ServletException {
}
}
2. Request wrapper
/**
* Wraps the [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest
HttpServletRequest}
* @author Mark Benussi
*/
public class HttpServletRequestWrapper extends
javax.servlet.http.HttpServletRequestWrapper {
/**
* The original [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest
HttpServletRequest}
*/
private HttpServletRequest request = null;
/**
* Helper to manage any common security methods
*/
private static SecurityHelper jaasHelper = null;
/**
* Default constructor
*
* @param request
* The original [EMAIL PROTECTED]
javax.servlet.http.HttpServletRequest HttpServletRequest}
*/
public HttpServletRequestWrapper(HttpServletRequest request) {
super(request);
if (jaasHelper == null) {
jaasHelper = new SecurityHelper();
}
this.request = request;
}
/**
* @see
javax.servlet.http.HttpServletRequestWrapper#isUserInRole(java.lang.String)
*/
public boolean isUserInRole(String role) {
Subject subject = jaasHelper.getSessionSubject(request,
false);
return jaasHelper.isSubjectInRole(subject, role);
}
}
3. When you call youre LoginModule get the Subject and place in the session
and then write your own code to validate the Subject has the role required.
4. As for passing the session to your LoginModule, which I wouldn't do in a
puristic way as the LoginModule should be able to be used by a wing app just
as much as a web app.
well. my login module would be for the very special purpose of making
SSO of webapps possible, so i wouldn't have much of a problem with this.
Contstruct a CallBackHandler with the username and password but also with
the session or request. Then in your loginmodule you will have access to the
request/session when you invoke handle callback
wow. thanks a lot!
the code looks much simpler than i would have expected.
i think this will do nicely. :)
Edmund
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
