I wonder where the mechanism to invoke the login window with user/pwd for
authentication is located, and how to turn it off ? I have a proxy-based
authentication in a server in front of my Tomcat, so the user is already
authenticated when the request reaches Tomcat.
- I have a small valve class like in the snippet below which catches the
username and rolename from the http-header and stores it in
ThreadLocal<String> so that my LoginModule can populate the
subject-principal structure correctly, for JAAS-like role-based
authorization.
- I have a modified JAASRealm (subclassed) which uses a dummy
EmptyCallbackHandler instead of JAASCallbackHandler. The
EmptyCallbackhandler is never called in LoginModule.login().
- login-config in web.xml is set to BASIC.
I understand that the login window is invoked just after the chain of valves
are passed, correct ? How do I stop the login window from being invoked ?
Can that be done in my valve class ?
I have looked into the code of AuthenticatorBase, SingleSignOn,
BasicAuthenticator, and NonLoginAuthenticator but yet no success of using
that code.
Tomcat 6.0.20 is used.
Johan
-- snip ---
public class AuthValve extends ValveBase {
public AuthValve() {
}
@Override
public void event(Request arg0, Response arg1, CometEvent arg2) throws
IOException, ServletException {
}
@Override
public String getInfo() {
return "This is the AuthValve";
}
@Override
public Valve getNext() {
return super.getNext();
}
@Override
public void invoke(Request request, Response response) throws
IOException, ServletException {
System.out.println("valve.invoke() thread: " +
Thread.currentThread().getName());
String username = request.getHeader("h_name");
String rolename = request.getHeader("h_role");
System.out.println("valve.invoke() name:<" + username + "> role:<" +
rolename + ">");
/*
* Store info for LoginModule...
*/
NameStore.setName(username);
RoleStore.setRole(rolename);
getNext().invoke(request,response);
}
}
-- end snip ---
