Hi,
> I'm going to develop an authentication realm (based on FORM
> authentication) for TC 4.0.1 which performs a kind of
> challenge/response task: Put a challange into a session variable
> on the login page (.jsp). The expected password would then be the
> encrypted challenge. Whithin my realm the decryption of the
> response and the verification against the stored session variable
> has to be performed. The problem is that the HTTP request is not
> accessible whithin TC 4.x realms. This was possible in TC 3.x.
> Is there any possibility to access a session variable in a TC 4.x
> custom realm? Thank you.
I came across the same problem in that the realm can only get the
username/password from a form page and no other parameters you may want
to use. (We have other parameters the user can select at login to
indicate post login preferences). Solution is to modify the Realm
interface o.a.c.Realm to add
public Principal authenticate(String username, String credentials,
HttpServletRequest hreq);
and modified o.a.c.realm.RealmBase
public Principal authenticate(String username, String credentials,
HttpServletRequest hreq)
{
return authenticate(username, credentials);
}
and then clone o.a.c.authenticator.FormAuthenticator so that it calls
context.getRealm().authenticate(username, password, hreq);
Craig has relied to one of my earlier messages entitled 'Getting
HttpRequest inside Realm/Tomcat 4' and the reasons behind why it was not
possible.
You can use your own FormAuthenticator class by putting your class name
in the o.a.c.startup.Authenticators.properties. You have to install
these 2 class files and properties files as classes in the
server/classes directory so they are loaded before the ones from the
catalina.jar in server/lib
Rgds
Antony
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
