Mark, A year ago I skimmed through SecurityFilter(.sourceforge.net) to see how they did things like this. I recommend you download the code and see how they went from a session filter based on their own forms to putting credentials into Tomcat. I clearly remember they had a Tomcat (Catalina) connector in one of their modules.
Regards, David -----Original Message----- From: Mark Benussi [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 09, 2005 6:37 AM To: user@struts.apache.org Subject: Re: Last question on JAAS I promise Um wow.... so Form authentication works but not my own. Thats fine then, I can get the Subject that has been authenticated but how do I place the Principals returned from the LoginContext Subject and make them available to the session so that I can do requst.isUserInRole? Is there a session variable I have to set? ----Original Message Follows---- From: Adam Hardy <[EMAIL PROTECTED]> Reply-To: "Struts Users Mailing List" <user@struts.apache.org> To: Struts Users Mailing List <user@struts.apache.org> Subject: Re: Last question on JAAS I promise Date: Tue, 09 Aug 2005 09:49:59 +0100 Mark Benussi on 09/08/05 08:39, wrote: >OK I got JAAS working with form authentication. That worked a treat (After >a >bit of head banging). > >I then moved to invoking the login from Struts (Or a Servlet for Tomcat >users who don't use Struts) > >The code still gets invoked correctly. > >IBTJAASCallbackHandler callbackHandler = new >IBTJAASCallbackHandler(loginForm.getUserName(), loginForm.getPassword()); >LoginContext context = new LoginContext("IBTJAAS", callbackHandler); >context.login(); > >However the request.remoteUser() is now null (Was populated correctly when >I >used form authentication) and the same for request.isUserInRole() (It >returns false, even though the Principal was added to the subject). > >Any ideas...? I could be totally wrong but I believe that I have read about people trying this before, and that the answer was that you have to do it all yourself. I hesitate to say that since I'm not 100% sure but I think it's true because it makes sense that the container (request.isUserInRole etc) would know nothing about what you are doing with LoginContext and CallbackHandler. I don't think there is any code in LoginContext that injects your info into the servlet container, is there? In this situation, you would override the HttpServletRequest class, overriding those methods with your own so that they look for your login info and return user objects, roles etc when required. You could ask on the tomcat user list but I too have found it difficult to get help there. Adam --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
