Hi André, hi Christopher,
The use of HTTP BASIC authentication confuses things here because
of the credential transfer mechanism (HTTP headers). I suppose
you could write a Valve that sniffs the user's IP address and
then adds HTTP headers to the request for the "Authentication"
header to essentially force a login. You'll have to decide what
the user's Principal will need to look like (because Tomcat will
actually try to /verify/ the fake-user's credentials and maintain
a "login" for them, running proper authorization checks, etc.) in
order to actually work.
I managed to get it working. If you are interested in my solution for
Tomcat 6: I extended the Valve RequestFilterValve and overwrote the
method process with this content:
// Check the allow patterns
for (int i = 0; i < allows.length; i++) {
if (allows[i].matcher(property).matches()) {
// create a principal for an existing fake user
final List<String> roles = new ArrayList<String>();
roles.add("ROLE");
final Principal principal = new GenericPrincipal(null, "USER",
"PASS", roles);
// set the principal in this request
request.setUserPrincipal(principal);
}
}
// pass this request to the next valve (basic authentication)
getNext().invoke(request, response);
return;
If the User has an allowed IP address, the UserPrincipal will be set in
this request, so that the next valve (the Basic Authentication) will not
show the login window. If the User has another IP address, the request
will be forwarded to the next valve without any changes, so that you
need to log in.
At first I tried solving it with RequestWrappers and changing Headers,
but that failed, because the Basic Authentication Method tests for the
UserPrincipal.
Thanks for your help,
Remon
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
