I'm running in an environment in which I sometimes need to authenticate based on both location (IP address, say) and credential (uid/pwd). To make this work, I need to have access to the remote address and/or host from the HTTP request hitting the protected subweb. This information isn't available if I've got BASIC authentication turned on (and probably not other authentication strategies either, though I haven't looked at them lately). To support what I need to do, I need to have a slight modification made to org.apache.catalina.authenticator.BasicAuthenticator. The modified source is attached from the 4.1 source archive. The strategy is the following:
o Add the following static declarations to the class: public static final ThreadLocal REQUEST_ADDRESS = new ThreadLocal(); public static final ThreadLocal REQUEST_HOST = new ThreadLocal(); These give me a place to stick the address and host name from the incoming request. o Modify the authenticate() method in the vicinity of line 160 to look like the following (*** represents added lines): // Validate any credentials already included with this request HttpServletRequest hreq = (HttpServletRequest) request.getRequest(); HttpServletResponse hres = (HttpServletResponse) response.getResponse(); String authorization = request.getAuthorization(); String username = parseUsername(authorization); String password = parsePassword(authorization); *** REQUEST_ADDRESS.set(hreq.getRemoteAddr()); *** REQUEST_HOST.set(hreq.getRemoteHost()); principal = context.getRealm().authenticate(username, password); *** REQUEST_ADDRESS.set(null); *** REQUEST_HOST.set(null); The first pair of added lines caches the remote address and host name in the thread-local variables. BasicAuthenticator then calls the realm's authenticate() method as it always does, preserving the interface to existing realm implementations. However, a suitably modified realm implementation can now get the address or host from the BasicAuthenticator variables and make the values available to the authentication mechanism as appropriate. For example, I've modified a few classes in the JBoss environment to be able to use these static thread-local values, so I can have a JAAS LoginModule implementation that validates location and adds appropriate roles for a user. ========= R.W. Shore Templar Corporation [EMAIL PROTECTED] [EMAIL PROTECTED] (short txt) (703)505-4451 (cell, marginal quality) (540)858-3487 (also the modem line)
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]