Dinh, Chinh wrote:
Bill is right except that I don't know how to do that with Tomcat 4.1.x (without writting you own Authenticator class). With Tomcat 5, the Realm class contains 3 more methods you can use to achieve your goal:Thanks for your help . I'm new to TOMCAT , so I may have some confusion. I thought it's the way that TOMCAT does. We have to use REALM to authenticate as we define this in web.xml :
<login-config> <auth-method>BASIC</auth-method> <realm-name>MyRealm</realm-name> </login-config>
It will pop up a log in box, and Realm's authentication method will does the authentication. After the Login , it 'll call the Servlet's service(). In the Realm class, which extends org.apache.catalina.realm.RealmBase, there is no access to HttpRequest, Response, or Session at this point .
How do I store a data member of the Realm class some where (?) so that my servlet can access to it ?
- hasResourcePermission(HttpServletRequest,HttpServletResponse, SecurityConstraint, constraint)
- hasUserDataPermission(HttpServletRequest,HttpServletResponse, SecurityConstraint)
- findSecurityConstraint(HttpServletRequest,Context)
The Authentication mechanism will:
- (1) call the realm.findSecurityConstraint - (2) call the realm.hasUserData - (3) call realm.authenticate - (4) call realm.hasResourcePermission
So you may add the realm instance to the session when (1) is invoked.
If you want to do it with Tomcat 4.1.x, you may overide Authenticator.findSecurityConstraint(....).
For Tomcat 5.0.4, I would like to first do (3) then (1) (2)....but I'm still thinking the way I would propose the change :-)
-- Jeanfrancois
Or is it something that should never be done ? What'd be an alternative solution ? I don't think Filter serves the goal that I describe above, am I correct ? Thank you very much. - Chinh
Bill Barker <[EMAIL PROTECTED]> wrote: I agree with Jean-Francois that the design is less than perfect ;-). You should probably re-think it. However, I'm willing to give you more than enough rope to hang yourself ;-).
1) If your custom Realm is configured under a , then simply have if save an instance of itself into the Session. 2) If not, or otherwise, have it set a request-attribute with itself as the value.
"Dinh, Chinh" wrote in message
news:[EMAIL PROTECTED]
Thanks for the response. My situation is like this:http://localhost:8080/webdav, it will first call myREalm's authentication().
- I created my own Realm for webDAV access. When I launch
Within authentication(), I calls some existing authentication class, which
returns a USER object (basically, has some application specific user
properties).
- After the authentication is successful (from a Log-in Dialog box, forexample), it will get to my servlet (in this case, a webDAVservlet). In this
webDavServlet, I would like to get the USER object that I stored as a data
member in my Realm class.
- That is the reason I want to be able to get the realm object from theservlet. Any advise ? Thanks . - Chinh
Jean-Francois Arcand wrote:type .
Dinh, Chinh wrote:
I have a tomcat question for you .
In Tomcat's server.xml, we define a realm (only ONE)
When tomcat starts, I think it will instantiate a realm object of this
servlet that starts after the realm's authentication
I am trying to find a way to access this realm object in my servlet (the
, but how would we get this ContainerBase ?succeeds).
There's a method "getRealm()" from org.apache.catalina.core.ContainerBase
No. For security reason, a servlet should not have access to any Tomcat classes. If your app is able to have access to those methods, any malicious app can also have access and snif the information.
Why do you want to have access to the realm?
Does Tomcat have some kind of global object of this type ?
No...and in Tomcat 5,we have enforced the security protection mechanism so it is mostly impossible to invoke Tomcat internal classes (when the security manager is turned on)
-- Jeanfrancois
Thank you . Chinh
--------------------------------- Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month!
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
