Figured it out (was Re: Using a servlet for authorization)

[Dr. Evil]

This...

servlet-mapping
   servlet-name
 authservlet
   /servlet-name
   url-pattern
 /secure/*
   /url-pattern
/servlet-mapping

and this

 RequestDispatcher rd =
 request.getRequestDispatcher(/secure/hello.jsp);
 rd.forward(request, response);

were causing a horrible loop.  I didn't realize that Tomcat would run
the servlet mappings on the args to getRequestDispatcher, but it
does.  The solution is simple:  make the url-pattern something else,
like securepages, and then it can serve the files out of the /secure/
directory.

This is going to be a fantasticly useful auth method once I get it all
working.  Yet again, I find that tomcat is enormously powerful and has
a steep learning curve.  The two go together I guess.

RE: Figured it out (was Re: Using a servlet for authorization)

[Tarek M. Nabil]

Dr. Evil, could you please explain your solution again, I didn't quite
get it.

-Original Message-
From: Dr. Evil [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 18, 2001 11:32 AM
To: [EMAIL PROTECTED]
Subject: Figured it out (was Re: Using a servlet for authorization)



This...

servlet-mapping
   servlet-name
 authservlet
   /servlet-name
   url-pattern
 /secure/*
   /url-pattern
/servlet-mapping

and this

 RequestDispatcher rd =
 request.getRequestDispatcher(/secure/hello.jsp);
 rd.forward(request, response);

were causing a horrible loop.  I didn't realize that Tomcat would run
the servlet mappings on the args to getRequestDispatcher, but it
does.  The solution is simple:  make the url-pattern something else,
like securepages, and then it can serve the files out of the /secure/
directory.

This is going to be a fantasticly useful auth method once I get it all
working.  Yet again, I find that tomcat is enormously powerful and has
a steep learning curve.  The two go together I guess.

Re: Using a servlet for authorization

[Craig R. McClanahan]

On 18 Oct 2001, Dr. Evil wrote:

 Date: 18 Oct 2001 09:04:05 -
 From: Dr. Evil [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Subject: Using a servlet for authorization


 I am trying to use a servlet for authorization like this:

 There is a servlet called authservlet which checks to see if there is
 a valid user object in the session state.  Here is how it is used:

 I have a directory called /secure with a bunch of .jsp files in it.

 There is a mapping in web.xml:

servlet-mapping
   servlet-name
 authservlet
   /servlet-name
   url-pattern
 /secure/*
   /url-pattern
/servlet-mapping

 Every time someone tries to request a page like /secure/hello.jsp, the
 request is instead handed to authservlet.  That part is working fine.
 authservlet gets the request and can decide what to do with it.

 The problem is that I am trying to get authservlet to pass the request
 back to the jsp by doing something like this:

 RequestDispatcher rd =
 request.getRequestDispatcher(/secure/hello.jsp);
 rd.forward(request, response);

 where in this case I have hard-coded in hello.jsp as the target, just
 for testing (obviously I will replace this with something which looks
 at what the real url is).

 The problem is, when I then try to load /secure/hello.jsp, it looks
 like the server goes into an infinite loop.  It never returns the page
 and I end up with a bunch of catalina processes running, which I have
 to kill -9 to get rid of.

It's not the server that went into a loop -- it's your application.

The request dispatcher mechanism uses the same servlet mappings that are
used on the original request.  Therefore, the request dispatcher for
/secure/hello.jsp will select your authentication servlet again, which
will get another request dispatcher, which will ...

The solution to this problem, at least in a Servlet 2.3 environment (like
Tomcat 4), is to use a Filter for performing this kind of authentication.
There was a thread on this over the last couple of days on TOMCAT-USER --
check the archives for some good ideas.


 I'm sure I'm making some simple mistake here.  Any sugestions?

 Thanks


Craig