Shashank Rachamalla wrote:
Hi!
Is there any way to configure <security-constraint> for a webapp to
disable authentication and authorization for a particular IP address and
enable it for all other IP addresses.
Probably not, since I doubt that this is foreseen by the Servlet
Specification.
But I can think of a way, subject to confirmation by an expert on this
list :
You could write a simple servlet filter, which checks the caller's IP
address, and if it matches, sets the user-id in the session to some
pre-determined value.
It is possible that when the authentication code finds out that there is
already a user set, it would just return OK and let the call through.
And for your application code, it would be easier to deal with a case
where there is always a user-id (even if one is a dummy), than have to
deal with some cases where it is not set, no ?
What I am not quite sure of, is whether a filter runs early enough to
precede the authentication part, or not.
I guess if not, then you would have to implement this as a Valve.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
