I built a solution, that is working for me. The Servlet is doing a login, copies the the authentication-data to the session and responds with JSON-Data.
The problem with this solution is, that I have to access a private member by using reflections, because the StandardSession-Object is hidden with a Facade-Pattern. It's very dirty, but perhaps it can help anyone. public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, java.io.IOException { String username = req.getParameter("j_username"); String password = req.getParameter("j_password"); boolean success = false; String errortext = null; if (username!=null && password!=null) { try { // authenticate the current request req.login(username, password); // attention! only the request is authenticated now try { // on org.apache.catalina.session.StandardSession we can set the "UserPrincipal" from the current request // this object is private member of an instance of 'StandardSessionFacade' StandardSession tomcatSession = (StandardSession) getPrivateField(req.getSession(), "session"); // set the authentication-data to the session tomcatSession.setPrincipal( req.getUserPrincipal() ); tomcatSession.setAuthType(HttpServletRequest.BASIC_AUTH); tomcatSession.setNote(Constants.SESS_USERNAME_NOTE, username); tomcatSession.setNote(Constants.SESS_PASSWORD_NOTE, password); // OK Log(jafaLogger.LVL_INFO_LOW, "Login OK"); success = true; } catch (Exception e) { success = false; errortext = "Error configuring session: " + e.getMessage(); Log(jafaLogger.LVL_ERR_HIGH, errortext); } } catch (ServletException loginError) { success = false; errortext = loginError.toString(); } } else { success = false; errortext = "Username or password missing"; } res.setContentType("application/json"); JSONObject jsonElement = new JSONObject(); try{ jsonElement.put("success", success); if (!success && errortext!=null) { jsonElement.put("errortext", errortext); } } catch (JSONException jsonException){} PrintWriter out = res.getWriter(); out.write(jsonElement.toString()); out.flush(); out.close(); } 2013/2/9 Jimmy Johnson <eclectic.sou...@gmail.com>: > I had the same requirements and ended up using Spring security. Although > spring security is no set up for ajax itself, you can make a filter that > catches all ajax context after it goes through the security class filters. > Take a look here : > > http://static.springsource.org/spring-security/site/ > > If you think this is a solution for you let me know and I can provide more > details. > > Jimmy > > On Feb 8, 2013, at 8:35 AM, Johannes Meyer <johannes.c.me...@gmail.com> wrote: > >> Hi Konstantin, >> >> thank you for answer. >> >>> HttpServletRequest.login(..) ? >>> (in a Servlet 3.0 application) >> >> If I call this function, only the current request is authorized, but >> not the whole session. >> >> Is there any solution to authorize the session? >> >> Thank you, >> Johannes >> >> 2013/2/8 Konstantin Kolinko <knst.koli...@gmail.com>: >>> 2013/2/8 Johannes Meyer <johannes.c.me...@gmail.com>: >>>> Hello all, >>>> >>>> I'm developing a web application with asynchronous techniques (ExtJS). >>>> >>>> The most pages are secured with a "security-constraint", so the user >>>> has to log in at first. >>>> >>>> >>>> The users gets prompted a login dialog and can type in his username >>>> and password. The data will be sent asynchronous to the server and the >>>> user should be logged in. >>>> >>>> How can I implement it at best? >>>> >>>> I tried to work with FORM-authentication but it is not very elegant. >>>> >>>> Is there any solution to make an AJAX-Authentication? >>>> >>>> Or can I build a servlet, that logs the user in, without show him any >>>> dialogs? >>>> >>> >>> HttpServletRequest.login(..) ? >>> (in a Servlet 3.0 application) >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org