See my additional question at bottom: On Sun, 2003-02-09 at 18:09, Craig R. McClanahan wrote:
> However, a Filter (Servlet 2.3) > could parse this SAML > response, and re-package the request parameters as a j_username and a > j_password (even though, really, the j_username isn't a true username, > YET). Filters aren't going to help ... they run *after* the security constraints are evaluated, and *after* authentication has taken place. That's why you need to use a Valve instead (Authenticator extends Valve), to ensure that you run *before*. > > THEN, (still with me?), a JAASRealm could forward this j_username and > j_password to my LoginManager, for final SAML processing and log the > bloke on. > > It seems a little convoluted, but, what it buys me is, any Servlet > container which supports form-based authentication, and which supports > JAAS for realms (or equivalent), can harness this toolkit. I assume (but > have not verified) that this buys me into the major J2EE containers -- > Weblogic, SunONE, Websphere, etc, in addition to my favorite (Tomcat). > > Does this sound like it would work? > Ah, if only it would ... it would require a change to the servlet spec to allow filters to perform "container managed security" authentications. >From a container writer's point of view, I get a little uneasy thinking about delegating this responsibility to an application -- but I can see some use cases for it. Craig, there is one subtle point I was trying to make, and I'm not sure if you got it. I was NOT proposing that my Filter perform container-managed sercurity authentications (as you went on to explain was impossible). Instead, I was proposing that my Filter re-write the request parameters of an incoming FORM-POST into the Servlet-standard "j_username" and "j_password", and then Forward (or do I have to Redirect?) to the "j_security_check" URI. My filter would be consuming the SAML response, munging it into other parameters (j_username, j_password), and re-posting (or forwarding) to j_security_check. This would let me use: (a) the standard FORM auth-method in web.xml, (b), a standard Filter, and (c) a standard JAAS LoginModule, without having to write any container-specific code (such as a Tomcat Authenticator). The assumption I am making in order for this to work, is that the Servlet spec will allow requests to appear in the middle of the FORM-based authentication, AFTER the original form has been rendered to the browser, but BEFORE a POST is made to "j_security_check". With my slightly more detailed explanation, do you still assert that this can't work, and that I have no choice (today) but to go to container-specific extensions like Tomcat.Authenticator? Thanks for hashing this out with me, Bryan