See my additional question at bottom:
On Sun, 2003-02-09 at 18:09, Craig R. McClanahan wrote:
> However, a Filter (Servlet 2.3)
> could parse this SAML
> response, and re-package the request parameters as a j_username
and a
> j_password (even though, really, the j_username isn't a true
username,
> YET).
Filters aren't going to help ... they run *after* the security
constraints are evaluated, and *after* authentication has taken
place.
That's why you need to use a Valve instead (Authenticator extends
Valve),
to ensure that you run *before*.
>
> THEN, (still with me?), a JAASRealm could forward this j_username
and
> j_password to my LoginManager, for final SAML processing and log
the
> bloke on.
>
> It seems a little convoluted, but, what it buys me is, any Servlet
> container which supports form-based authentication, and which
supports
> JAAS for realms (or equivalent), can harness this toolkit. I
assume (but
> have not verified) that this buys me into the major J2EE
containers --
> Weblogic, SunONE, Websphere, etc, in addition to my favorite
(Tomcat).
>
> Does this sound like it would work?
>
Ah, if only it would ... it would require a change to the servlet
spec to
allow filters to perform "container managed security"
authentications.
>From a container writer's point of view, I get a little uneasy
thinking
about delegating this responsibility to an application -- but I can
see
some use cases for it.
Craig, there is one subtle point I was trying to make, and I'm not sure
if you got it. I was NOT proposing that my Filter perform
container-managed sercurity authentications (as you went on to explain
was impossible). Instead, I was proposing that my Filter re-write the
request parameters of an incoming FORM-POST into the Servlet-standard
"j_username" and "j_password", and then Forward (or do I have to
Redirect?) to the "j_security_check" URI.
My filter would be consuming the SAML response, munging it into other
parameters (j_username, j_password), and re-posting (or forwarding) to
j_security_check.
This would let me use: (a) the standard FORM auth-method in web.xml,
(b), a standard Filter, and (c) a standard JAAS LoginModule, without
having to write any container-specific code (such as a Tomcat
Authenticator).
The assumption I am making in order for this to work, is that the
Servlet spec will allow requests to appear in the middle of the
FORM-based authentication, AFTER the original form has been rendered to
the browser, but BEFORE a POST is made to "j_security_check".
With my slightly more detailed explanation, do you still assert that
this can't work, and that I have no choice (today) but to go to
container-specific extensions like Tomcat.Authenticator?
Thanks for hashing this out with me,
Bryan
