I'm running in an environment in which I sometimes need to authenticate
based on both location (IP address, say) and credential (uid/pwd). To make
this work, I need to have access to the remote address and/or host from the
HTTP request hitting the protected subweb. This information isn't available
if I've got BASIC authentication turned on (and probably not other
authentication strategies either, though I haven't looked at them lately).
To support what I need to do, I need to have a slight modification made to
org.apache.catalina.authenticator.BasicAuthenticator. The modified source is
attached from the 4.1 source archive. The strategy is the following:
o Add the following static declarations to the class:
public static final ThreadLocal REQUEST_ADDRESS = new ThreadLocal();
public static final ThreadLocal REQUEST_HOST = new ThreadLocal();
These give me a place to stick the address and host name from the incoming
request.
o Modify the authenticate() method in the vicinity of line 160 to look like
the following (*** represents added lines):
// Validate any credentials already included with this request
HttpServletRequest hreq =
(HttpServletRequest) request.getRequest();
HttpServletResponse hres =
(HttpServletResponse) response.getResponse();
String authorization = request.getAuthorization();
String username = parseUsername(authorization);
String password = parsePassword(authorization);
*** REQUEST_ADDRESS.set(hreq.getRemoteAddr());
*** REQUEST_HOST.set(hreq.getRemoteHost());
principal = context.getRealm().authenticate(username, password);
*** REQUEST_ADDRESS.set(null);
*** REQUEST_HOST.set(null);
The first pair of added lines caches the remote address and host name in the
thread-local variables. BasicAuthenticator then calls the realm's
authenticate() method as it always does, preserving the interface to
existing realm implementations. However, a suitably modified realm
implementation can now get the address or host from the BasicAuthenticator
variables and make the values available to the authentication mechanism as
appropriate. For example, I've modified a few classes in the JBoss
environment to be able to use these static thread-local values, so I can
have a JAAS LoginModule implementation that validates location and adds
appropriate roles for a user.
=========
R.W. Shore
Templar Corporation
[EMAIL PROTECTED]
[EMAIL PROTECTED] (short txt)
(703)505-4451 (cell, marginal quality)
(540)858-3487 (also the modem line)
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
