-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John,
On 11/11/2009 5:29 PM, John Morrison wrote: > Correct, at the moment there is no requirement to actually authenticate > the user. However, I've been told to ensure that, if the client wishes > (and pays) that the solution could be expanded to do so. If you are looking for a more general solution, you could use securityfilter (http://securityfilter.sourceforge.net) which allows you to heavily customize the authentication process. > Is this something like you are thinking; > > If the user has a session; > let them access what they want > else if the requested url has a param/value of [insert hash algor] > set the user up with a session and let them access what they want > else > return Access Forbidden > > Is this possible in a filter? This is definitely possible, but I wouldn't use the presence of a session as your test; instead, I'd use the presence of a particular key/value pair in the session attributes instead. Why? Tomcat's container-managed authentication creates a session for the user before they have been authenticated. Also, any JSP that accidentally didn't mention session="false" in its header will create a session. In either case, your users would be allowed inappropriate access. How about this: If the user has a session and they have a valid token in the session allow access else if the request contains a valid token place token in session allow access else disallow access >> You could always make your login page just look like a "Forbidden" page. >> There's nothing that says a login page has to contain a login form :) > > *grin* point, however doesn't the login page get displayed before the > LoginModule is called? Yes, but if you've already allowed access (because no interactive credentials are required), the login page should never be shown, right? Anyone who sees a login page didn't send a proper token along with their request, and should end up seeing the "login" page which just says "go away". I'm not entirely sure how JAAS works, but this sounds reasonable to me. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkr8Gn4ACgkQ9CaO5/Lv0PDlcgCguLWaGLMueC4Cin0JCa7vpEf6 rlQAni0A6R0FaTwiuLSJ77oSy7eews+C =Vwv+ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
