On 30.03.2017 20:10, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Konstantin,
On 3/30/17 4:19 AM, Konstantin Kolinko wrote:
2017-03-30 11:02 GMT+03:00 Jan Vávra <va...@602.cz>:
Hello, I have written a custom Realm and I need to access to the
request headers. The authentication should be computed from
client certificate + id from custom http header X-IdUser. Can I
somehow access to the HTTPServletRequest instance ?
Not possible, by design.
An Authenticator (a valve) can access request and its headers. A
Realm cannot.
I've always been frustrated by this, and it's one reason I do not use
Tomcat's build-in authentication. I need to log authentication
failures and their sources (IP address) and this information is simply
not available through the Tomcat-provided APIs.
I think there is definitely an opportunity here for improvement.
A naive question or three (I can't really ask any other kind in Java) :
1) what is calling the following method ?
https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/realm/DataSourceRealm.html#authenticate%28java.lang.String,%20java.lang.String%29
2) And (assuming that if you want to do non-standard things in the Realm, it means that
you are writing your own custom Realm), isn't there a possibility for any caller of (1)
above, to pass anything it wants in the "credentials" argument ?
(such as a caller IP address, the content of a HTTP header, etc.)
(to be parsed out and used by the authenticate method, for logging e.g.)
3) and, still assuming much, might one then perhaps use this element to specify a class
which would perform ditto parsing, prior to the authentication itself ?
http://tomcat.apache.org/tomcat-9.0-doc/config/credentialhandler.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
