Hello,
I'm (still) trying to implement a web application for my school project.
The idea is that everybody is allowed to see e.g. the default page (news),
but only authenticated users can e.g. access grades.
So far, no problem.
The web application builds up a menu based on the roles the user has. If
the user isn't authenticated the menu won't display items for which the
user has no privileges.
On each page there is a login box with a target of j_security_check. Here
I encountered the first problem. Jetty (and Tomcat) don't support direct
requests to the login page (which I'm doing).
Browsing through the sourcecode of jetty I found that jetty checks a
session variabele called org.mortbay.jetty.URI to see where it should
redirect the request after a succesfull login (see code below for snippet
from FormAuthenticator).
If I set this session variabele from my pages, all works fine. Except
getUserPrincipal only returns the principal when accessing a protected
resource.....
This is definitely not what I want. I want to be able to tell who is
viewing a page even if no security restrictions apply. Does anyone know
how to change this behavior ?
Thx in advance.
==== CODE FROM FormAuthenticator
public UserPrincipal authenticated(UserRealm realm,
String pathInContext,
HttpRequest httpRequest,
HttpResponse httpResponse)
throws IOException
{
HttpServletRequest request
=(ServletHttpRequest)httpRequest.getWrapper();
HttpServletResponse response =(HttpServletResponse)
httpResponse.getWrapper();
// Handle paths
String uri = pathInContext;
// Setup session
HttpSession session=request.getSession(true);
// Handle a request for authentication.
if (
uri.substring(uri.lastIndexOf("/")+1).startsWith(__J_SECURITY_CHECK)
)
{
// Check the session object for login info.
String username = request.getParameter(__J_USERNAME);
String password = request.getParameter(__J_PASSWORD);
UserPrincipal user =
realm.authenticate(username,password,httpRequest);
String nuri=(String)session.getAttribute(__J_URI);
if (user!=null && nuri!=null)
{
Code.debug("Form authentication OK for ",username);
httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH);
httpRequest.setAuthUser(username);
httpRequest.setUserPrincipal(user);
session.setAttribute(__J_AUTHENTICATED,user);
response.sendRedirect(response.encodeRedirectURL(nuri));
}
else
{
Code.debug("Form authentication FAILED for ",username);
if (_formErrorPage!=null)
response.sendRedirect(response.encodeRedirectURL
(URI.addPaths(request.getContextPath(),
_formErrorPage)));
else
response.sendError(HttpResponse.__403_Forbidden);
}
// Security check is always false, only true after final
redirection.
return null;
}
// Check if the session is already authenticated.
UserPrincipal user = (UserPrincipal)
session.getAttribute(__J_AUTHENTICATED);
if (user != null)
{
if (user.isAuthenticated())
{
Code.debug("FORM Authenticated for ",user.getName());
httpRequest.setAuthType(SecurityConstraint.__FORM_AUTH);
httpRequest.setAuthUser(user.getName());
httpRequest.setUserPrincipal(user);
return user;
}
}
// Don't authenticate authform or errorpage
if (pathInContext!=null &&
pathInContext.equals(_formErrorPage) ||
pathInContext.equals(_formLoginPage))
return SecurityConstraint.__NOBODY;
// redirect to login page
if (httpRequest.getQuery()!=null)
uri+="?"+httpRequest.getQuery();
session.setAttribute(__J_URI,
URI.addPaths(request.getContextPath(),uri));
response.sendRedirect(response.encodeRedirectURL(URI.addPaths(request.getContextPath(),
_formLoginPage)));
return null;
}
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
