-Tim
Scott Kelley wrote:
We've had an Apache/Tomcat configuration deployed for a couple years now. Authentication is handled by a custom Apache plugin written in C. Everything works great and has been quite reliable.
Now we would like to move to a standalone Tomcat configuration and have been investigating writing a Valve/Authenticator to replace our existing Apache plugin.
I've written a prototype Valve and it does almost everything we need. This gives us the ability to require a server-wide login independent of how the individual servlet contexts are configured. This ends up being Tomcat-specific, but we're ok with that.
The only problem with the current prototype is that if a user hits a servlet or JSP in a Context that's configured for basic authentication, they still get the browser-generated basic login dialog, even after being logged in with our Valve.
In my code, I check for a particular cookie, and if I find it, I set the user principal in the request to the appropriate user, something like this:
// Has connection already been authenticated // (i.e. do we have the login cookie?) Cookie lcookie=ValveUtils.findCookie(hreq,LOGIN_COOKIE_NAME);
// If the request has the login cookie, let it pass through
if (lcookie!=null) {
log("Found login cookie, validating");
if (validLoginCookie(lcookie,hreq)) {
log("cookie is valid, allowing request");
// See AuthenticatorBase.invoke(), which also sets authType and userPrincipal
// See SignleSignOn.invoke(), which also set authType and userPrincipal
hrequest.getRequest().setUserPrincipal(new TempPrincipal("bob_temp_user"));
hrequest.getRequest().setAuthType("BASIC");
context.invokeNext(request,response);
} else {
log("cookie not valid, going to error page");
hres.sendRedirect(hres.encodeRedirectURL(ERROR_PAGE_URI));
}
return;
}
I had thought that this would work, because later in the pipeline the request hits BasicAuthenticator, which does this:
public boolean authenticate(HttpRequest request, HttpResponse response, LoginConfig config) throws IOException {
// Have we already authenticated someone? Principal principal = ((HttpServletRequest) request.getRequest()).getUserPrincipal(); if (principal != null) { if (debug >= 1) log("Already authenticated '" + principal.getName() + "'"); return (true); }
And since I've set the principal to something besides null, I had assumed that the basic authentication would just be skipped. Which is not the behavior that I'm seeing. Instead, I end up asking the user to log in twice: once for my custom Valve (which is a web form/redirect thing), and a second time when they hit a servlet in a context with basic authentication (which causes the browser to put up the basic authentication dialog).
So, what am I missing?
Thanks,
Scott
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]