On Fri, 31 Jan 2003 [EMAIL PROTECTED] wrote:
> Date: Fri, 31 Jan 2003 15:52:57 -0500 (EST) > From: [EMAIL PROTECTED] > Reply-To: Tomcat Developers List <[EMAIL PROTECTED]> > To: Tomcat Developers List <[EMAIL PROTECTED]> > Subject: Re: authentication and filters > > > I have narrowed down my problem: > > Wrapping the HttpServletRequest is not sufficient because CoyoteRequest > and CoyoteRequestFacade mask the real user principal. A > 'setUserPrincipal' call cannot be made on the HttpServletRequest in the > Filter because the type is CoyoteRequestFacade, and not CoyoteRequest > (which supports setUserPrincipal). Why the servlet spec omits > 'setUserPrincipal' in HttpServletRequest interface, I do not know. But > since it cannot be set on the CoyoteRequestFacade, all 'isUserInRole' > calls delegated to CoyoteRequestFacade will return false, because > CoyoteRequestFacade does not have a valid user principal. > > This could be worked around if there were just a call in > CoyoteRequestFacade to return the actual CoyoteRequest upon which the > userPrincipal could be set. > That would defeat the whole purpose of having the facade, which is to *prevent* applications from messing with container internal objects. Instead, you need to override the getRemoteUser(), getUserPrincipal, and isUserInRole() methods in your wrapper class. > Aaron Hamid Craig --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
