On Sun, 2003-02-09 at 18:09, Craig R. McClanahan wrote:
Ah, if only it would ... it would require a change to the servlet spec to allow filters to perform "container managed security" authentications. >From a container writer's point of view, I get a little uneasy thinking about delegating this responsibility to an application -- but I can see some use cases for it. In my proposal, (contrary to what I read in your response), I wasn't going to use the Filter to perform actual authentication. Instead, I was going to use the filter, to re-write the SAML response (request.getParameter("SAML...")) as standard form authentication parameters (request.setParameter("j_username", xxx), request.setParameter("j_password", yyy)). Then, these usernames and passwords would be passed down to the JAAS layer where my LoginManager can process them. But as you say prior, the filters aren't even being run, apparently, before the container evaluates j_username and j_password, so I guess I have no Servlet-standard hook there. I guess it's off to the Authenticator API I go. Heck, at least I can keep all the authentication logic in one place with that strategy, as opposed to splitting it between a Filter and a LoginModule.