• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JAAS on Tomcat

 
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi folks,

I need to perform authentication using Tomcat and JASS. The authentication itself (the check for the username and password) is ok, but I need to put some data into user session. I know this can be done using Filters but am thinking about something else. Does anyone know about some other way? Does anyone know how to get a reference to HttpRequest from inside the JAAS Api?

Thx, Milan
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
JAAS does not have anything servlet-specific - it is a general purpose API. However you use it should not influence what you put in a session, or where.

One way of doing authentication/authorization in a servlet context would be to do it completely inside of a filter, and store relevant objects in a session right there. That way you keep the rest of the request processing free of auth code.

What are you referring to when you say that you are "thinking about something else"?
 
Milan Maric
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Ulf,

thx for reply - I'd like to avoid filters because in that case I need to check each request for such a simple thing as putting user id into session, instead of doing it once at the login time.

At the moment I'm thinking of passing a request as a parameter to CallbackHandler (so in LoginModule I can fetch request from CallbackHandler).

The other option (which I'm not sure about yet): is it possible use JACC and get request from it's PolicyContext inside Tomcat somehow?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I'd like to avoid filters because in that case I need to check each request for such a simple thing as putting user id into session, instead of doing it once at the login time.



Why would you need to do the auth over and over again, just because it's located in a filter? If the session already contains auth info, you can just skip over the JAAS part.

I'm thinking of passing a request as a parameter to CallbackHandler



It would be a better design not to pass the request, but the values (username, password, etc.) it contains. That way you can reuse the auth logic outside of a servlet environment.
 
Milan Maric
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I guess you're right on both of these issues
There had been several details that were not clear to me, thanks!
[ January 16, 2006: Message edited by: Milan Maric ]
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic