Craig,
A further testing shows that HTTP session was not established when my customized Valve
was invoked. How could I fix it?
Thanks in advance.
-Jerry
-----Original Message-----
From: Fang, Jerry
Sent: Friday, January 11, 2002 3:43 PM
To: [EMAIL PROTECTED]
Subject: RE: Question about login backdoor
Craig,
I need some help in implementation.
I create two classes, one customized Valve and one customized Realm.
a) I made my Valve to intercept HTTP request and call setUserPrincipal if a special
token is authenticated.
b) I changed server.xml to use my customized realm. My customized realm extends
JDBCRealm and overwrite the hasRole() method.
The result: partially working.
a) User can access the pages when the token is passed along. For example,
http://myhost/protected_area?token=XXXXXXXXXXXXXXXXXX -- works
I checked the output, the access control is fine. My tweaked hasRole() method was
called.
b) I was expecting that session would store login info once the above URL is accessed.
But it is Not the case! For example, a follow-up GET request
http://myhost/protected_area/subdir
brings up a login page (since I used FORM auth).
Do you know why?
Thanks for help!
-Jerry Fang
P.S. Attached are my code:
==================================================
Here is my Valve:
--------------------------------------------------
public void invoke(Request request, Response response,
ValveContext context)
throws IOException, ServletException
{
checkPassLogin(request, response, context);
context.invokeNext(request, response);
return;
}
protected void checkPassLogin(Request request, Response response,
ValveContext context)
throws IOException, ServletException
{
// If this is not an HTTP request, do nothing
if (!(request instanceof HttpRequest) ||
!(response instanceof HttpResponse)) {
return;
}
if (!(request.getRequest() instanceof HttpServletRequest) ||
!(response.getResponse() instanceof HttpServletResponse)) {
return;
}
// References to objects we will need later
HttpRequest hreq = (HttpRequest) request;
HttpServletRequest hsreq = (HttpServletRequest) request.getRequest();
// Have we already authenticated someone?
Principal principal = hsreq.getUserPrincipal();
if (principal != null)
return;
String token = hsreq.getParameter("token");
if (token == null)
return;
log("found token: "+ token);
principal = authenticate(null, token);
if (principal != null)
hreq.setUserPrincipal(principal);
}
--------------------------------------------------
==================================================
Here is my Realm:
--------------------------------------------------
public class JDBCRealmExt extends JDBCRealm
{
public boolean hasRole(Principal principal, String role)
{
if (! (principal instanceof SimplePrincipal))
return super.hasRole(principal, role);
else {
System.out.println("SimplePrincipal: hasRole(): " + role);
SimplePrincipal sp = (SimplePrincipal)principal;
return sp.hasRole(role);
}
}
}
-------------------------------------------------
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
