Remon Sadikni wrote:
Hi André, hi Christopher,
thanks for your answers.
The use of HTTP BASIC authentication confuses things here because of
the credential transfer mechanism (HTTP headers). I suppose you could
write a Valve that sniffs the user's IP address and then adds HTTP
headers to the request for the "Authentication" header to essentially
force a login. You'll have to decide what the user's Principal will
need to look like (because Tomcat will actually try to /verify/ the
fake-user's credentials and maintain a "login" for them, running
proper authorization checks, etc.) in order to actually work.
I think I will try this. Are there any tutorials for writing a Valve? I
am a Java programmer but new to Valves.
I am not really a Java programmer, so what I say below may be wrong, and should be
confirmed by a better guru.
The reason why I was mentioning further complexity for the Valve solution, is that as far
as I know, the HttpServletRequest object is "immutable" (iow read-only), as it is
received. So you cannot just take the incoming HttpServletRequest, and if the IP address
matches, add a "fake" "Authorization:" header to it with some generic user-id/password.
You will have to wrap the original HttpServletRequest into a custom HttpServletRequest
wrapper, (a la "class CustomRequest extends HttpServletRequestWrapper"), add the fake
header there, and forward this CustomRequest instead of the original for further
processing. In the wrapper class, you also have to override whichever method the Tomcat
Basic authentication mechanism uses to retrieve the additional "Authorization:" header.
(getHeaderNames, getHeader, getHeaders,..)
At least, that is what I had to do the last time I wrote some Tomcat authentication code
as a Servlet Filter. Maybe for a Valve, the situation is different.
Maybe for a seasoned Java programmer this is all a piece of cake; but as for me I had to
find out the above the hard way, and it was all a bit of a challenge.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
