Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
André,
On 2/20/13 4:20 PM, André Warnier wrote:
In relation to a couple of recent posts, I have a naive question :
In a servlet, to retrieve the authenticated user-id (if any), I
use
String userName = request.getRemoteUser();
Now, suppose I wanted to create a servlet filter which (under
certain conditions), would force the current request to be
authenticated as user "someuser", how would I do that ?
I s'pose it would too much to ask that it would just be
request.setRemoteUser("someuser");
As long as you only want to "trick" some filter or servlet
further-down from your own, you can install a filter that:
1. Wraps the request with an HttpServletRequestWrapper which...
2. overrides getRemoteUser() to return whatever you want it to return.
If you have to pull the wool over the eyes of a Valve, you'll have to
write a Valve and install it at a suitably-early in the pipeline.
Well,
Mark Thomas wrote:
>
> Almost, but you need to use a method that actually exists in the API.
>
> HttpServletRequest.login(String username, String password)
>
So it does not appear so easy after all.
To Mark : why "password" ?
To Chris : why is that so complicated ?
In my idea, this thing consisted simply in "stuffing" a user-id in the userPrincipal
object associated to the current request. I don't really need a password, do I ? I do not
really want this to run again through any real authentication mechanism; I know that
whetever user-id I put in there is "valid enough".
I know that the Request itself is not modifiable, but the place where the associated
user-id is stored is not directly in the Request, or is it ?
The idea is for example (as in a recent post to the list) : the servlet filter checks that
the request is coming from the internal network. If so, we can just set the user-id to
"internal" and let it through. Otherwise, we return a 401 or a login page e.g.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
