Sorry I glazed HttpSessionListener thanks. this is all I could find on overriding the FormAuthenticator http://mikal.org/interests/java/tomcat/archive/view?mesg=56125 is there official documentation?
do I have to muck with internal properties files to point to my Authenticator class? -----Original Message----- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 10:41 AM To: Tomcat Users List Subject: RE: Do I have to use j_security_check to authenticate? On Tue, 23 Apr 2002, Tim Cronin wrote: > I've been dealing with this same problem. > All though Form base authentication is session based > the realm has no accessibility to the session object. > There are also no events that tell when the session is > first created only when objects are bound/unbound to the > session. That is not actually correct -- see HttpSessionListener.sessionCreated(). However, by itself it doesn't help much in the particular use case being discussed here. Yesterday I proposed a solution that used the sessionCreated() listener in combination with a filter to do what you wanted, while still remaining portable across any servlet 2.3 container. Check the archives. If you really wanted to modify Tomcat itself to support your paradigm, you'd want to subclass org.apache.catalina.authenticator.FormAuthenticator instead, and make it add the appropriate session attributes after the Realm indicates that the user has been successfully identified. Don't try to make the Realm implementation do this sort of thing -- that is not what it is designed for. Craig -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]> -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
