Ashish Jain wrote:
any takers for this Q???
On Thu, Jul 15, 2010 at 1:38 PM, Ashish Jain <ashja...@gmail.com> wrote:
Hi,
I have an application which uses non interactive login and hence utilizes
NONLogin Authenticator in tomcat. Here is a snippet from web.xml.
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext-security.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<login-config>
<auth-method>NONE</auth-method>
<realm-name>cas-authorize</realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protect JSPs</web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>testUsers</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>testUsers</role-name>
</security-role>
however I see that container security is invoked before any spring related
stuff.
Exactly. It is not specific to to spring. The container security is invoked before even
invoking the application, of which servlet filters are the first layer.
Since it is a Non interactive login Subject is not populated with any
principals
and hence tomcat is unable to authorize the access to resource. My Question
is
How can I revert the security mechanism so that Spring security is invoked
before tomcat security.
I don't think you can. As they say in French, you can't have at the same time the butter,
and the money of the butter.
If you want your first filter to be called in order to authenticate the user, then you'll
have to remove the container security, and do your own security check in a second filter,
invoked after the filter you already have has set the user-id.
Alternatively (but I don't know that part very well, so don't take my word for it), you
would have to remove your first filter, and use/create a Realm which authenticates the
user, which container-based security could then use.
See the standard
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
for an example.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
