On Sun, 2003-02-09 at 18:09, Craig R. McClanahan wrote:
Ah, if only it would ... it would require a change to the servlet
spec to
allow filters to perform "container managed security"
authentications.
>From a container writer's point of view, I get a little uneasy
thinking
about delegating this responsibility to an application -- but I can
see
some use cases for it.
In my proposal, (contrary to what I read in your response), I wasn't
going to use the Filter to perform actual authentication. Instead, I was
going to use the filter, to re-write the SAML response
(request.getParameter("SAML...")) as standard form authentication
parameters (request.setParameter("j_username", xxx),
request.setParameter("j_password", yyy)). Then, these usernames and
passwords would be passed down to the JAAS layer where my LoginManager
can process them.
But as you say prior, the filters aren't even being run, apparently,
before the container evaluates j_username and j_password, so I guess I
have no Servlet-standard hook there. I guess it's off to the
Authenticator API I go.
Heck, at least I can keep all the authentication logic in one place with
that strategy, as opposed to splitting it between a Filter and a
LoginModule.
