Mark Benussi wrote:

1.Filter to go in web.xml

* [EMAIL PROTECTED] javax.servlet.Filter Filter} to overide the 
HttpServletRequest and
* overide isUserInRole() using the
* * @author Mark Benussi
public class HttpServletRequestFilter implements Filter {

         * @see javax.servlet.Filter#destroy()
        public void destroy() {

         * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
         *      javax.servlet.ServletResponse, javax.servlet.FilterChain)
        public void doFilter(ServletRequest request, ServletResponse
                        FilterChain chain) throws IOException,
ServletException {

                HttpServletRequest httpServletRequest = (HttpServletRequest)
                HttpServletRequestWrapper wrappedRequest = new
                chain.doFilter(wrappedRequest, response);

         * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
        public void init(FilterConfig config) throws ServletException {

2. Request wrapper

* Wraps the [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest
HttpServletRequest} * @author Mark Benussi
public class HttpServletRequestWrapper extends
                javax.servlet.http.HttpServletRequestWrapper {

         * The original [EMAIL PROTECTED] javax.servlet.http.HttpServletRequest
        private HttpServletRequest request = null;

         * Helper to manage any common security methods
        private static SecurityHelper jaasHelper = null;

         * Default constructor
* * @param request
         *            The original [EMAIL PROTECTED]
javax.servlet.http.HttpServletRequest HttpServletRequest}
        public HttpServletRequestWrapper(HttpServletRequest request) {

                if (jaasHelper == null) {
                        jaasHelper = new SecurityHelper();
                this.request = request;

         * @see
        public boolean isUserInRole(String role) {

                Subject subject = jaasHelper.getSessionSubject(request,
                return jaasHelper.isSubjectInRole(subject, role);

3. When you call youre LoginModule get the Subject and place in the session
and then write your own code to validate the Subject has the role required.

4. As for passing the session to your LoginModule, which I wouldn't do in a
puristic way as the LoginModule should be able to be used by a wing app just
as much as a web app.
well. my login module would be for the very special purpose of making SSO of webapps possible, so i wouldn't have much of a problem with this.

Contstruct a CallBackHandler with the username and password but also with
the session or request. Then in your loginmodule you will have access to the
request/session when you invoke handle callback

wow. thanks a lot!
the code looks much simpler than i would have expected.

i think this will do nicely. :)


To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to