On Tue, 23 Apr 2002, Tim Cronin wrote:
> I've been dealing with this same problem.
> All though Form base authentication is session based
> the realm has no accessibility to the session object.
> There are also no events that tell when the session is
> first created only when objects are bound/unbound to the
> session.
That is not actually correct -- see HttpSessionListener.sessionCreated().
However, by itself it doesn't help much in the particular use case being
discussed here. Yesterday I proposed a solution that used the
sessionCreated() listener in combination with a filter to do what you
wanted, while still remaining portable across any servlet 2.3 container.
Check the archives.
If you really wanted to modify Tomcat itself to support your paradigm,
you'd want to subclass org.apache.catalina.authenticator.FormAuthenticator
instead, and make it add the appropriate session attributes after the
Realm indicates that the user has been successfully identified. Don't try
to make the Realm implementation do this sort of thing -- that is not what
it is designed for.
Craig
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
