-----Original Message-----
From: Larry Meadors [mailto: [EMAIL PROTECTED]]
Sent: 29 September 2005 04:01
To: Tomcat Users List
Subject: Re: Capturing User Passwords
Here is the code (this is for tomcat 4.1.x):
if(log.isDebugEnabled()){
Principal principal = req.getUserPrincipal();
PropertyDescriptor[] pds;
pds =
PropertyUtils.getPropertyDescriptors(principal.getC lass());
for(int i = 0; i < pds.length; i++){
try {
String name = pds[i].getName();
Object value = PropertyUtils.getProperty(principal,
name);
log.debug("pds." + name + " = " + value);
} catch (Exception e) {
e.printStackTrace();
}
}
}
Larry
On 9/28/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
>
>
> I am trying to find a way of capturing a user's password so that I can
have
> the user login to one of my web applications (which acts as a client),
and
> pass it to a second application (which acts as the server).
>
> I know that I can retrieve the user from the ServletRequest using
> req.getUserPrincipal(). However, I do not know how I can retrieve the
> password.
>
> Can anyone offer any advice on whether this can be done and if so, the
best
> way of doing it?
>
> [ I did attempt to use forms-based authentication and use a filter to
> capture the password whenever the j_security_check action was invoked.
> However, I read in another post that Tomcat does not allow filters to
be
> placed on j_security_check. ]
>
> Once I have the password, I'd ideally be looking at converting it to a
> Credentials object, so that I could pass that to my second app, rather
than
> passing the raw password. Does anyone know whether this can be
achieved by
> using Tomcat's UserPasswordCredentials class?
>
> Also, to prevent the password been exposed in the URL posted from the
login
> page, I'd also be looking to implement SSL. I presume that this will
cause
> encryption problems. Does anyone have any advice about how I could
work
> around this?
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
IMPORTANT NOTICE
If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to the statement below or contact the sender.
This communication is from Deloitte & Touche LLP. Deloitte & Touche LLP is a limited liability partnership registered in England and Wales with registered number OC303675. A list of members' names is available for inspection at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom, the firm's principal place of business and registered office. Deloitte & Touche LLP is authorised and regulated by the Financial Services Authority.
This communication and any attachments contain information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of disclosure, distribution, copying or use of this communication or the information in it or in any attachments is strictly prohibited and may be unlawful. If you have received this communication in error, please return it with the title "received in error" to [EMAIL PROTECTED] then delete the email and destroy any copies of it.
E-mail communications cannot be guaranteed to be secure or error free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses. We do not accept liability for any such matters or their consequences. Anyone who communicates with us by e-mail is taken to accept the risks in doing so.
When addressed to our clients, any opinions or advice contained in this e-mail and any attachments are subject to the terms and conditions expressed in the governing Deloitte & Touche LLP client engagement letter.
Opinions, conclusions and other information in this e-mail and any attachments which do not relate to the official business of the firm are neither given nor endorsed by it.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
