Well, the whole things works like this : 1. User submits the login form (assuming you are using FORM based authentication with j_securitycheck) 2. Tomcat retrieves the j_username and j_password form values and passes them to the configured Realm's autheticate method. 3. If the user is successfully autheticated, subsequent calls to request.getUserPrincipal() will return a java.security.Principal object reference. A null will be returned if the authentication failed for some reason.
The Principal object has methods that will help you get the user's login ID and a few other things (check the API docs). It is up to you to store this information in the user's session for retrieval later. The interesting thing here is that Realm is part of Catalina's classpath and is not visible to the web application. Also, the Realm class knows nothing about the web app and does not have access to the HttpRequest or other data. All it gets is a user name and password (check the signature of the authenticate() method). One other thing to keep in mind : The user should not hit the login page (say login.jsp) directly. That is, lets say by typing http://<host>/<webapp>/login.jsp. Tomcat displays the form-login-page (as configured in web.xml) when an un-autheticated user tries to access a protected resource. Ask for protected resource --> Tomcat --> Tomcat saves requested resource details --> Shows login page --> Form submited to j_securitycheck --> Tomcat calls the Realm's autheticate() method --> On successful authetication, Tomcat redirects to original resource requested. (If the authetication fails, Tomcat redirects to the configured form-error-page page). You now have access to the Principal as returned by request.getUserPrincipal(). Hope this helps. Regards, Gautam Satpathy ----- Original Message ----- From: "Tam, Michael" <[EMAIL PROTECTED]> To: "'Tomcat Users List'" <[EMAIL PROTECTED]> Sent: Saturday, December 14, 2002 5:46 AM Subject: RE: Retrieve User - Realm > Sorry for the misleading. You are right Jeanfrancois. Thank you for > pointing this out. > > If only user name needed, try getRemoteUser(). > If principal(user) object needed, try getUserPrincipal(). > > Regards, > Michael > > -----Original Message----- > From: Jeanfrancois Arcand [mailto:[EMAIL PROTECTED]] > Sent: Friday, December 13, 2002 11:53 AM > To: Tomcat Users List > Subject: Re: Retrieve User - Realm > > > I think you are wrong. What he is looking for is: > > HttpServletRequest.getUserPrincipal() that return the > java.security.Principal object created within the Realm. > > -- Jeanfrancois > > -- Jeanfrancois > > Tam, Michael wrote: > > >It is in the API. Take a look at > >javax.servlet.http.HtppServletRequest.getRemoteUser() > > > >Cheers, > >Michael > > > >-----Original Message----- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > >Sent: Friday, December 13, 2002 10:14 AM > >To: [EMAIL PROTECTED] > >Subject: Retrieve User - Realm > > > > > >Hello, > > > >I searched many places and read many things, but I didn't > > find any example that retrieve the user from the session > > after it is authenticated with realm. > > > >Can someone help me? > > > >Thanks. > >________________________________________________ > >Don't E-Mail, ZipMail! http://www.zipmail.com/ > > > >-- > >To unsubscribe, e-mail: > ><mailto:[EMAIL PROTECTED]> > >For additional commands, e-mail: > ><mailto:[EMAIL PROTECTED]> > > > >-- > >To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > >For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > > > > > > > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
