I built a solution, that is working for me. The Servlet is doing a
login, copies the the authentication-data to the session and responds
with JSON-Data.
The problem with this solution is, that I have to access a private
member by using reflections, because the StandardSession-Object is
hidden with a Facade-Pattern.
It's very dirty, but perhaps it can help anyone.
public void doPost(HttpServletRequest req, HttpServletResponse res)
throws ServletException, java.io.IOException {
String username = req.getParameter("j_username");
String password = req.getParameter("j_password");
boolean success = false;
String errortext = null;
if (username!=null && password!=null) {
try {
// authenticate the current request
req.login(username, password);
// attention! only the request is authenticated
now
try {
// on
org.apache.catalina.session.StandardSession we can set the
"UserPrincipal" from the current request
// this object is private member of an
instance of
'StandardSessionFacade'
StandardSession tomcatSession =
(StandardSession)
getPrivateField(req.getSession(), "session");
// set the authentication-data to the
session
tomcatSession.setPrincipal(
req.getUserPrincipal() );
tomcatSession.setAuthType(HttpServletRequest.BASIC_AUTH);
tomcatSession.setNote(Constants.SESS_USERNAME_NOTE, username);
tomcatSession.setNote(Constants.SESS_PASSWORD_NOTE, password);
// OK
Log(jafaLogger.LVL_INFO_LOW, "Login
OK");
success = true;
}
catch (Exception e) {
success = false;
errortext = "Error configuring session:
" + e.getMessage();
Log(jafaLogger.LVL_ERR_HIGH, errortext);
}
}
catch (ServletException loginError) {
success = false;
errortext = loginError.toString();
}
}
else {
success = false;
errortext = "Username or password missing";
}
res.setContentType("application/json");
JSONObject jsonElement = new JSONObject();
try{
jsonElement.put("success", success);
if (!success && errortext!=null)
{
jsonElement.put("errortext", errortext);
}
}
catch (JSONException jsonException){}
PrintWriter out = res.getWriter();
out.write(jsonElement.toString());
out.flush();
out.close();
}
2013/2/9 Jimmy Johnson <[email protected]>:
> I had the same requirements and ended up using Spring security. Although
> spring security is no set up for ajax itself, you can make a filter that
> catches all ajax context after it goes through the security class filters.
> Take a look here :
>
> http://static.springsource.org/spring-security/site/
>
> If you think this is a solution for you let me know and I can provide more
> details.
>
> Jimmy
>
> On Feb 8, 2013, at 8:35 AM, Johannes Meyer <[email protected]> wrote:
>
>> Hi Konstantin,
>>
>> thank you for answer.
>>
>>> HttpServletRequest.login(..) ?
>>> (in a Servlet 3.0 application)
>>
>> If I call this function, only the current request is authorized, but
>> not the whole session.
>>
>> Is there any solution to authorize the session?
>>
>> Thank you,
>> Johannes
>>
>> 2013/2/8 Konstantin Kolinko <[email protected]>:
>>> 2013/2/8 Johannes Meyer <[email protected]>:
>>>> Hello all,
>>>>
>>>> I'm developing a web application with asynchronous techniques (ExtJS).
>>>>
>>>> The most pages are secured with a "security-constraint", so the user
>>>> has to log in at first.
>>>>
>>>>
>>>> The users gets prompted a login dialog and can type in his username
>>>> and password. The data will be sent asynchronous to the server and the
>>>> user should be logged in.
>>>>
>>>> How can I implement it at best?
>>>>
>>>> I tried to work with FORM-authentication but it is not very elegant.
>>>>
>>>> Is there any solution to make an AJAX-Authentication?
>>>>
>>>> Or can I build a servlet, that logs the user in, without show him any
>>>> dialogs?
>>>>
>>>
>>> HttpServletRequest.login(..) ?
>>> (in a Servlet 3.0 application)
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [email protected]
>>> For additional commands, e-mail: [email protected]
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [email protected]
>> For additional commands, e-mail: [email protected]
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
