Hi
We have a site which has users log in to create/edit account
information. Nothing unusual there. Currently this is implemented with a
JDBCRealm and it all works OK.
However, we have a 'marketing requirement' to remove case sensitivity
(but NOT case preservation) from user names and passwords. I cannot see
anyway to do this directly with JDBCRealm or DataSourceRealm. Unless I'm
missing something, the username and password provided to j_securitycheck
are explicitly matched for case.
Additionally, we will shortly need to offer an alternative login
mechanism - using either a login name or an email address in the same field.
So far, I can see the following options:
1. Implement a filter that 'sits around' the login form and translates
case on password and username to lower case and create a lowercase
'shadow' password table in my database. So, when a request is received
for the 'secured' pages this would be fed through this filter. However,
I don't think this will work, because I suspect that the security check
is run BEFORE any filters that I have configured in web.xml.
2. Implement some java script to convert entered fields to lower case on
the login form (GHASTLY!) Still doesn't fix the password thing.
3. Implement my own Realm - intercept the requests - identify the
supplied string in the username field as an email address (or not), look
up the user by email address in the database (which in my case must be
unique). As I use PostgreSQL I can then write a 'like' query to case
insensitively find matching user and password. Upside - it should work.
Downside - I then have to add the resulting jar to $TOMCAT_HOME/lib on
all my servers and update the MBean descriptor (which I don't completely
understand how to do - advice?)
4. Possibly do something similar to 3 but with a JAAS.
Does anyone have any suggestions or comments? I'm perfectly OK with
using Acegi - my only issue with that after a browse through the docs I
don't see how I can meet my requirement of username/email and password
case insensitive but case preserving without additional code for Acegi
either. Obviously I can take that issue to the acegi/spring forums if
acegi is the only solution (that is 1, 3, and 4. above won't work - 2.
is out)
Thanks in advance
Alan Chaney
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org