• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Tim Cooke
Sheriffs:
  • Rob Spoor
  • Liutauras Vilda
  • paul wheaton
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Mikalai Zaikin
  • Carey Brown
  • Piet Souris
Bartenders:
  • Stephan van Hulst

Set user principal in a filter

 
Ranch Hand
Posts: 114
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can I implement a filter which sets the current principal, so that calls to request.getUserPrincipal() work?

An apache server in front of tomcat authenticates my client and delegates a certificate as an http header attribute. I want to read this certificate create a custom principal (which holds the certificate) and set this new user principal in a filter. Can I do this?
 
Ranch Hand
Posts: 161
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sure you can. I have done this with a request wrapper and a filter for times when I want to make my web application handle the login and role assignment.

Here I override the getUserPrincipal and isUserInRole


and then in the filter,



This is handy when wanting to have the application work in different container environments,
 
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you don't feel like writing any code to set the user principal, take a look at this open source library...

http://spnego.sourceforge.net

It will set the current principal so that your call to getUserPrincipal() will work.

This project has a bunch of examples to make it as easy as possible to get up an running.
 
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How do you get the filter to be called before the Realm security kicks in?

The filter is called but only after the user has authenticated


 
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Request's don't need to be authenticated for filter code to run.
 
Krem Reid
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm a little confused can you help me straighten this out.

I'm using Struts2

I have a jsp that users fill out to register. This goes to my action class which registers the user.
Then the user is forwarded to a "customer action" which has a security constraint



I have the filter put on all /customers



The security constraint is being throw up before the Filter is activated.

I'm using Realm based security.

Where am I going wrong?

Thanks
 
Travis Hein
Ranch Hand
Posts: 161
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Right, this filter to fetch the authenticated user's role would be mapped to urls of the pages you want protected.

The login page should not be protected by this user role filter, so as to allow the login handler retrieve the user profile and stuff it into session attributes, or how ever you implemented my sample above filter to find the user information to stuff it into the UserRoleRequestWrapper

Additionally, since this filter only makes the user principle available, but does not do any policing logic, perhaps another filter that is also mapped to these role protected pages after this one, that would redirect you to the login page if the user principal is not found in the request, or display an error if the user does not have sufficient role privileges.
 
Paul Sturrock
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Presumably the filter does not apply to the request for authentication. Make your filter match all requests and it should be hit.
 
Krem Reid
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Even when changing the URL pattern to <url-pattern>/*</url-pattern>

The Realm Security still kicks in before the Filter

 
Travis Hein
Ranch Hand
Posts: 161
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In that case, if you are using that web.xml security role policy things, you might need to find some kind of container provided mechanism to ensure the request object has the user principal and roles populated before the web application is invoked.

That is, one of the realm implementations that come with tomcat (see http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html) so the user is authenticated and roles are populated into the request before your webapp is invoked.

I created my filter as a work around to having to make use of the container provider realms. Where I stuff in the user principle and roles into the request object with this filer, after I have looked them up in my own mechanism. This was suitable for my use as the application also worked with a 'profile manager' outside of a web application container, so I didn't want to get into contain-specific realm configurations.

Though that also likely makes this filter not compatible with standard web.xml realm and security configurations.
 
Paul Sturrock
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Interesting. I'm currently (coincidently) debugging through an application that hits the filter first (since all requests to a web applciation, including the request for authentication, are routed through my filter). Not sure what you could be doing different.
 
Krem Reid
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You would think this is a problem that others have run into before but I can't seem to find anything on the net.

I'm starting to think making the users login after registration is just fine!
 
Legend has it that if you rub the right tiny ad, a genie comes out.
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic