Thanks, Craig!
> > 1. If user is not logged in or if the session has
> > timed out then it should open login page and after
> > successful login it should try to access the very
> > same request (ie. the same document).
> I don't quite see why you need to modify the standard
> form-based login mechanisms, either. Can't you just use
> the standard form based login for triggering authentication?
No, I did not want to modify standard login mechanism by
any means :-). I simply had this (wrong) impression that
filters get called before checking security constraints.
How stupid of me :-). Creating security constraint like
you suggested covered the first step and now I have this
filter purring like a kitten.
Just in case anybody is interested... this is what I did.
doFilter looks like this:
public void doFilter (
ServletRequest request,
ServletResponse response,
FilterChain chain
)
throws IOException, ServletException
{
HttpServletRequest httpRequest = null;
HttpServletResponse httpResponse = null;
if( request instanceof HttpServletRequest )
httpRequest = (HttpServletRequest)request;
if( response instanceof HttpServletResponse )
httpResponse = (HttpServletResponse)response;
boolean authorized = false;
String user = httpRequest.getRemoteUser();
// Is this really necessary? Could it be that requests
// other than HttpServletRequest are passed to
// this filter? Can they be harmful by any means?
// Or should I let them through?
if( httpRequest == null || httpResponse == null || user == null
){
httpResponse.sendError( HttpServletResponse.SC_NOT_FOUND
);
return;
}
try {
// At this point we have user name in 'user' and request
URI
// in 'requestURI'. Make sure that this user has rights
to
// get this document and set authorized to true, if
(s)he has.
authorized = ...
} catch( Exception e ){
}
if( !authorized ){
httpResponse.sendError( HttpServletResponse.SC_NOT_FOUND
);
return;
}
// Pass control on to the next filter
chain.doFilter( request, response );
}
with best wishes,
Taavi
