http://issues.apache.org/bugzilla/show_bug.cgi?id=21795
You can always write your own Realm which creates your own custom Principal which can store the password in it. This does require some casting but not uncommon.
-Tim
[EMAIL PROTECTED] wrote:
Thanks Tim Funk for the quick answer,
In FormAuthenticator there is a line: principal = context.getRealm().authenticate(username, password); It returns an interface java.security.Principal The Principal stores the username (uid), not the password (Credential). I only can call getName(). Furthermore any Realm has no access to the users session. So I can't get the password from the realm.
I could of course write the password as cleartext or obscured code in my own Realm to an external data store. But I don't want that. It's dirty and unsafe and against the security requirements of this web-app.
I've searched the Java Servlet Specification v.2.4 http://jcp.org/aboutJava/communityprocess/final/jsr154/index.html but haven't found a place where applying ServletFilters to /j_security_check is forbidden.
Could you please provide me with an pointer to the spec you have forbidding this kind of filtering?
One of many same questions I have found on http://www.mail-archive.com/[EMAIL PROTECTED]/msg117539.html (Message 1117539 on this list) was answered by yourself with the suggestion of using a valve. Could you please me more detail on that solution?
On the same answer there was mentioned that BEA WebLogic provides a hook named auth-filter which would solve my problem too (in a proprietary way). With Websphere this is the second App-Server which could solve my problem. I have a Sun ONE Web App Server 7 at hands, so will try eventually the ServletFilter-method too.
Another thread on this list with the same requirement is number 111855: "servlet sendRedirect() to j_security_check problem (remember me)" http://www.mail-archive.com/[EMAIL PROTECTED]/msg111855.html It announces Matt Raibles solution, programmed into his example application AppFuse. It works y submitting a subrequest vie HttpClient lib which seems rather strange to me.
It cites an earlier posting number 111700 http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/msg111700.html
One more question: In the Tomcat 5.0.27 source in FormAuthentificator.java it says // Save the authenticated Principal in our session session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
// If we are not caching, save the username and password as well if (!cache) { session.setNote(Constants.SESS_USERNAME_NOTE, username); session.setNote(Constants.SESS_PASSWORD_NOTE, password); } Am I able to session.getNote(Constants.SESS_PASSWORD_NOTE, password) in my web-app? It seems to be stored in the session, or am I wrong?
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]