We have similar problems.
Our Apache server has done authentication already and the principal is
delegated by a header attribute.
My prototype does the following:
I wrote a Valve which emulates basic authentication:
public void invoke(Request request, Response response, ValveContext
context)
throws IOException, ServletException
{
getContainer().getLogger().log("BasicAuthenticationValve: invoke()
>>>");
if (request instanceof HttpRequest) {
String auth_string = "Basic " + new String(
Base64.encode("<user>:".getBytes()) );
request.setAuthorization(auth_string);
getContainer().getLogger().log("BasicAuthenticationValve:
Header '" + auth_string + "' added");
}
context.invokeNext(request, response);
getContainer().getLogger().log("BasicAuthenticationValve: invoke()
<<<");
}
A custom realm does the pseudo-authentication and gets the roles using
Corba. The realm can be configured to do the authentication or not.
Scott Kelley
<[EMAIL PROTECTED] An: [EMAIL PROTECTED]
sd.edu> Kopie:
Thema: Valve as Custom Authenticator
11.06.2003 20:13
Bitte antworten
an "Tomcat Users
List"
We've had an Apache/Tomcat configuration deployed for a couple years
now. Authentication is handled by a custom Apache plugin written in
C. Everything works great and has been quite reliable.
Now we would like to move to a standalone Tomcat configuration and
have been investigating writing a Valve/Authenticator to replace our
existing Apache plugin.
I've written a prototype Valve and it does almost everything we need.
This gives us the ability to require a server-wide login independent
of how the individual servlet contexts are configured. This ends up
being Tomcat-specific, but we're ok with that.
The only problem with the current prototype is that if a user hits a
servlet or JSP in a Context that's configured for basic
authentication, they still get the browser-generated basic login
dialog, even after being logged in with our Valve.
In my code, I check for a particular cookie, and if I find it, I set
the user principal in the request to the appropriate user, something
like this:
// Has connection already been authenticated
// (i.e. do we have the login cookie?)
Cookie lcookie=ValveUtils.findCookie(hreq,LOGIN_COOKIE_NAME);
// If the request has the login cookie, let it pass through
if (lcookie!=null) {
log("Found login cookie, validating");
if (validLoginCookie(lcookie,hreq)) {
log("cookie is valid, allowing request");
// See AuthenticatorBase.invoke(), which also sets
authType and userPrincipal
// See SignleSignOn.invoke(), which also set authType and
userPrincipal
hrequest.getRequest().setUserPrincipal(new
TempPrincipal("bob_temp_user"));
hrequest.getRequest().setAuthType("BASIC");
context.invokeNext(request,response);
} else {
log("cookie not valid, going to error page");
hres.sendRedirect(hres.encodeRedirectURL(ERROR_PAGE_URI));
}
return;
}
I had thought that this would work, because later in the pipeline the
request hits BasicAuthenticator, which does this:
public boolean authenticate(HttpRequest request,
HttpResponse response,
LoginConfig config)
throws IOException {
// Have we already authenticated someone?
Principal principal =
((HttpServletRequest)
request.getRequest()).getUserPrincipal();
if (principal != null) {
if (debug >= 1)
log("Already authenticated '" + principal.getName() +
"'");
return (true);
}
And since I've set the principal to something besides null, I had
assumed that the basic authentication would just be skipped. Which is
not the behavior that I'm seeing. Instead, I end up asking the user
to log in twice: once for my custom Valve (which is a web
form/redirect thing), and a second time when they hit a servlet in a
context with basic authentication (which causes the browser to put up
the basic authentication dialog).
So, what am I missing?
Thanks,
Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
