Hi, I am new to the list, so nice to meet you.
I found this thread in the archives while researching a way to do
something similar.
I want to implement an authenticator that uses information in the
session to augment the authentication. I have looked into creating a
subclass of FormAuthenticator and it seems fairly straightforward. My
plan is to override the authenticate() method and:
1. Check if the session is properly initialized (not sure how yet), and
if not do something similar to the login form submission piece to
collect prerequisite session info.
2. Build the username from the one submitted on the login form and from
arbitrary session variables.
3. Hand off the rest of the authentication to FormAuthenticator for
Realm based authentication.
This strategy would also allow me to build in "3 strikes and you're out"
functionality as I am inspecting the session before sending the
authentication request to the realm.
Questions:
1. Is the entire idea wrongheaded for some reason that I am missing?
2. Any gotchas someone would like to point out for me?
3. authenticate() is an awfully long method. Would anyone object to
breaking it down into several protected method calls so that I can just
override those and leave the rest up to FormAuthenticator? Currently I
have to copy a lot of code into my subclass. I will be happy to submit
my changes upstream. I have worked a little with the Jakarta community
and know the routine... you guys haven't switched to Scarab yet have you?
--
Ryan Hoegg
ISIS Networks
http://www.isisnetworks.net
--
To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@;jakarta.apache.org>
- Form Based Authentication, getting login and password Externo
- Re: Form Based Authentication, getting login and ... Craig R. McClanahan
- Ryan Hoegg
