Thanks for the reply, (I'm thanking Tim as well :)).
I've never worked with filters before so I don't quite get everything you're
saying.
Your code seem to be a good first step though. But I have a few questions:
My code in the doFilter looks like this atm:
HttpServletRequest httpServletRequest = (HttpServletRequest)
request;
HttpServletResponse httpServletResponse = (HttpServletResponse)
response;
System.out.println("##### Authentication header = " +
httpServletRequest.getHeader("Authentication"));
if (httpServletRequest.getHeader("Authentication") == null ||
httpServletRequest.getHeader("Authentication").length() <= 6) {
System.out.println("##### No authentication header found");
httpServletResponse.setStatus(
HttpServletResponse.SC_UNAUTHORIZED);
httpServletResponse.setHeader("WWW-Authenticate", "BASIC
realm=\"My realm\"");
} else {
System.out.println("##### Authentication info received!!!");
// Decode the auth header
String authHeader = httpServletRequest.getHeader
("Authentication");
String authInfo= new
String(Base64.decode(authHeader.substring(6).getBytes()
)) ;
String user=authInfo.substring(0, authInfo.indexOf(':')-1) ;
String password = authInfo.substring(authInfo.indexOf(':')+1) ;
System.out.println("##### User = " + user);
System.out.println("##### Password = " + password);
}
This is not working, and the reason is probably obvious for most of you. But
what should I do? Should I somehow wrap the httpServletResponse in a
response wrapper so that I can receive what the user type when the window
pops up? (Right now the authentication header is always null regardless of
what I write in the username/password box in the pop up windows). And do I
really have to wrap the request when I'm doing my redirect even though the
filter should not care about what's happening next? And the last thing: My
thoughts right now is that I'll configure this filter to protect a jsp page
that will never be accessed (since I'd like to redirect from the filter).
But the thing is that I need the filter to pass parameters that originally
was aimed for the protected jsp page. E.g. say that the jsp page I would
like to protect is called redirect.jsp, so if I access this page with
http://localhost/myapp/jsp/redirect.jsp?param=param1 I'd like the filter to
kick in and present me with http basic authentication. Regardless of what
the users types as username and password, I'd like to filter to (for
instance) forward to http://localhost/myapp/myservlet?param=param1. That is
passing all the parameters that where passed to the redirect.jsp page.
Regards,
Johan
On 2/22/06, David Smith <[EMAIL PROTECTED]> wrote:
>
> Do it in a request filter and don't implement a realm in tomcat. You're
> looking for something like (all in a filter):
>
> //Check for a basic auth header with actual user/pass info
> if ((request.getHeader("Authentication") == null) ||
> (request.getHeader("Authentication").length <= 6))
> response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> response.setHeader("WWW-Authenticate", "BASIC realm=\"My
> realm\"");
>
> //Decode the auth header
> String authInfo=Base64.decode( request.getHeader("Authentication"
> ).substring(6).getBytes() ) ;
> String user=authInfo.substring(0, authInfo.indexOf(':')-1) ;
> String password = authInfo.substring(authInfo.indexOf(':')+1) ;
>
> //Check the password by calling your own code. Wrap the request in
> your own HttpServletRequestWrapper and pass it on
>
> The Base64 class is from the commons-codec project.
>
> --David
>
> Johan Haleby wrote:
> > Hi!
> >
> > I've implemented a simple custom realm that I use in Tomcat 5.0.28. But
> > instead of doing the authentication in the authenticate method in my
> realm
> > I'd like the actual authentication to be conducted by a another servlet
> that
> > takes username and password as parameters. So basically what I'd like to
> do
> > is to just to pass the username and password entered by the user when
> the
> > "login popup window" (http basic authentication) pops up to the
> > authentication servlet by redirecting the user to that URL with those
> > parameters. My realm should always accept the username/password since
> the
> > actual authentication takes place somewhere else. Is this possible, and
> in
> > that case where do I start?
> >
> > Thanks in advance,
> > Johan
> >
> >
>
>
> --
> David Smith
> Network Operations Supervisor
> Department of Entomology
> Cornell University
> 2132 Comstock Hall
> Ithaca, NY 14853
> Phone: (607) 255-9571
> Fax: (607) 255-0940
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
