Hello, I currently have a custom realm in Tomcat 9 that uses form authentication (j_username/j_password POST to j_security_check). I'm looking to create a secondary way to establish an authenticated session. I want to allow trusted sources to be able to POST a username param to a specific URL and establish an authenticated session with that provided username (I know, seems kind of scary, but it's just for a proof of concept right now). Eventually this secondary method may replace the custom realm all together, i.e. offloading authentication to an external provider.
I've searched the list and other internet sources which led me to attempt to extend the ValveBase to try and set a UserPrincipal on the org.apache.catalina.connector.Request. I was trying to intercept POST requests to a new specific RequestURI and if the provided username param is acceptable, I do the request.setUserPrincipal with the role that is required. Am I going down the wrong path to accomplish this? When the valve code gets hit, It doesn't seem that the user is really getting authenticated; I believe because the request comes/goes and the principal is getting lost when the request is done... Also, I'm getting a 405 error on the actual POST, even though it appears the principal gets established for that request... Not sure if this has something to do with the JSESSIONID cookie... Thanks, Tim --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
