On Fri, 11 Jan 2002 [EMAIL PROTECTED] wrote:
> Date: Fri, 11 Jan 2002 17:49:35 -0600
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: Question about login backdoor
>
>
> Craig,
>
> A further testing shows that HTTP session was not established when my
> customized Valve was invoked. How could I fix it?
>
You can create a session from within a Valve or an Authenticator, just
like the application can in a servlet or JSP page.
In your authenticator, the simplest thing to do is use the getSession()
method in AuthenticatorBase if you are subclassing it. From a different
kind of Valve, this is the kind of code you'd need to include.
> Thanks in advance.
>
> -Jerry
>
Craig
>
>
> -----Original Message-----
> From: Fang, Jerry
> Sent: Friday, January 11, 2002 3:43 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Question about login backdoor
>
>
> Craig,
>
> I need some help in implementation.
>
> I create two classes, one customized Valve and one customized Realm.
> a) I made my Valve to intercept HTTP request and call setUserPrincipal if a special
>token is authenticated.
> b) I changed server.xml to use my customized realm. My customized realm extends
>JDBCRealm and overwrite the hasRole() method.
>
> The result: partially working.
> a) User can access the pages when the token is passed along. For example,
> http://myhost/protected_area?token=XXXXXXXXXXXXXXXXXX -- works
> I checked the output, the access control is fine. My tweaked hasRole() method was
>called.
>
> b) I was expecting that session would store login info once the above URL is
>accessed. But it is Not the case! For example, a follow-up GET request
> http://myhost/protected_area/subdir
> brings up a login page (since I used FORM auth).
>
> Do you know why?
>
> Thanks for help!
>
> -Jerry Fang
>
>
> P.S. Attached are my code:
>
> ==================================================
> Here is my Valve:
> --------------------------------------------------
> public void invoke(Request request, Response response,
> ValveContext context)
> throws IOException, ServletException
> {
> checkPassLogin(request, response, context);
>
> context.invokeNext(request, response);
>
> return;
> }
>
> protected void checkPassLogin(Request request, Response response,
> ValveContext context)
> throws IOException, ServletException
> {
> // If this is not an HTTP request, do nothing
> if (!(request instanceof HttpRequest) ||
> !(response instanceof HttpResponse)) {
> return;
> }
> if (!(request.getRequest() instanceof HttpServletRequest) ||
> !(response.getResponse() instanceof HttpServletResponse)) {
> return;
> }
>
> // References to objects we will need later
> HttpRequest hreq = (HttpRequest) request;
> HttpServletRequest hsreq = (HttpServletRequest) request.getRequest();
>
> // Have we already authenticated someone?
> Principal principal = hsreq.getUserPrincipal();
> if (principal != null)
> return;
>
> String token = hsreq.getParameter("token");
> if (token == null)
> return;
>
> log("found token: "+ token);
>
> principal = authenticate(null, token);
>
> if (principal != null)
> hreq.setUserPrincipal(principal);
> }
> --------------------------------------------------
>
> ==================================================
> Here is my Realm:
> --------------------------------------------------
> public class JDBCRealmExt extends JDBCRealm
> {
>
> public boolean hasRole(Principal principal, String role)
> {
> if (! (principal instanceof SimplePrincipal))
> return super.hasRole(principal, role);
> else {
> System.out.println("SimplePrincipal: hasRole(): " + role);
> SimplePrincipal sp = (SimplePrincipal)principal;
> return sp.hasRole(role);
> }
> }
> }
> -------------------------------------------------
>
>
> --
> To unsubscribe: <mailto:[EMAIL PROTECTED]>
> For additional commands: <mailto:[EMAIL PROTECTED]>
> Troubles with the list: <mailto:[EMAIL PROTECTED]>
>
>
>
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
