-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lb,
lightbulb432 wrote: > Anytime I want to use more than two credentials, I have to provide my > own Realm implementation. But the only time I need to do the String > concatentation is when at least one of the additional credentials > (i.e. beyond username and password) is provided at request-time by > the user, rather than at deployment-time? Well, I think that if you are going to do your own Realm implementation, you're better off with my (long) suggestion from my previous post. The concatenation thing basically doesn't work... there's no way (unless you use javascript... <shudder>) to concatenate that information before the authenticator gets its hands on the credentials. > So for the example you gave with the "appId" property on my Realm > implementation, I wouldn't need to do String concatentation because > the user is only providing two credentials? Correct. The big problem with the Realm interface is that it doesn't accept an HttpServletRequest object... you only have access to the information that Tomcat wants you to have (like the username and password, and some other stuff like the message digest to use... MAYBE). Like I said, the Realm interface is a bit baffling. > But if the user were specifying what application they wanted to log > into, then I'd have to concatenate that before passing to the > authenticate method because Realm hasn't been instantiated with that > information? Er, yeah, but I have no idea how you'd do that. When you write your own Realm, you're still just getting the information Tomcat is willing to supply. If you want to pass more arguments, I think you're talking about replacing the authentication Valve at that point. Good luck! ;) > If your HTML form has a "j_username", "j_password" and > "myThirdCredential", where would you concatenate j_password and > myThirdCredential? I dunno. The plan goes like this: 1. Add the 3rd credential to your login form. 2. ??? 3. Profit. > I'm guessing you'd also have to override the servlet pointed to by > j_security_check - if I'm correct, how would you override this? You basically can't. > (My guess is the servlet class pointed to by the text > "j_security_check" is hardcoded somewhere within Tomcat?) I don't think it's a servlet... I think it's a Valve that intercepts requests to /j_security_check when applying authentication and authorization is appropriate for a particular (previously-requested) URL. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG1y949CaO5/Lv0PARAhNbAKClocjf0+BChThtUij5UJFtU5wfxgCgw8x4 zAjGdSYzjSJS2ShblnECih4= =3r7s -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
