I've gone a slightly different way now, but what I've done is this...
I've extended the JNDIRealm (or JDBC or whatever), which within this
adds the username of the logged in user into a 1 field table if the user
has successfully logged in.
After the user has logged in, A filter is run (that has the same
wildcards as the security) which checks for the above record. If it
exists, it checks a "justLoggedIn" boolean as true in the session and
delete's the record from the database.
after that in the filter we do...
if (session.justLoggedIn)
{
session.justLoggedIn = false;
redirect to the "index page";
}
else
{
don't redirect
}
I think the above should work without having to fiddle too much with
Tomcat's internals! I would rather not have to access the database, but
I can't think of an object which both the JNDIRealm and the Servlet both
have access to and could be modified with something like a
"justLoggedIn" property as I've used above.
I've considered a ThreadLocal variable, but I've yet to figure out
whether both the execution of the Realm's authenticate() method and the
Filter itself is actualy the same Thread.
Thanks for your help!
Gregor Schneider wrote:
Forget about all the above, it doesn't work.
You will have to subclass the used Authenticator-Class (i.e.
org.apache.catalina.authenticator.FormAuthenticator), create a jar
from it
and out this jar into server/lib of your Tomcat-Installation-directory.
Then you'll have to patch catalina.jar: Inside is a file called
Authentocator.properties, and you will have to exchange Tomcat's
Authenticator-class with your own.
So far, so easy:
Unfortunately, just subclaiing i.e. FormAuthenticaor and then do your own
stuff won't work, since the coding of the authenticate()-method is
spaghetti-code at it's worst: Maybe the author wanted to create
security by
obscurity, I don't know:
I copied the whole authenticate()-method and the saveRequest()-method
(which
is private) and changed the saveRequest()-method like this (I'm always
forwarding to "http://myContect/index.htm":
private void saveRequest(HttpRequest request, Session session) {
// Create and populate a SavedRequest object for this request
HttpServletRequest hreq = (HttpServletRequest)
request.getRequest();
SavedRequest saved = new SavedRequest();
Cookie cookies[] = hreq.getCookies();
if (cookies != null) {
for (int i = 0; i < cookies.length; i++)
saved.addCookie(cookies[i]);
}
Enumeration names = hreq.getHeaderNames();
while (names.hasMoreElements()) {
String name = (String) names.nextElement();
Enumeration values = hreq.getHeaders(name);
while (values.hasMoreElements()) {
String value = (String) values.nextElement();
saved.addHeader(name, value);
}
}
Enumeration locales = hreq.getLocales();
while (locales.hasMoreElements()) {
Locale locale = (Locale) locales.nextElement();
saved.addLocale(locale);
}
Map parameters = hreq.getParameterMap();
Iterator paramNames = parameters.keySet().iterator();
while (paramNames.hasNext()) {
String paramName = (String) paramNames.next();
String paramValues[] = (String[]) parameters.get(paramName);
saved.addParameter(paramName, paramValues);
}
saved.setMethod(hreq.getMethod());
saved.setQueryString(hreq.getQueryString());
//saved.setRequestURI(hreq.getRequestURI());
String context = (hreq.getContextPath());
System.out.println (context);
// IN HERE YOU WILL HAVE TO INSERT YOUR OWN FORWARD
saved.setRequestURI(context + "/index.htm");
// Stash the SavedRequest in our session for later use
session.setNote(Constants.FORM_REQUEST_NOTE, saved);
}
Somebody else in this mailinglist suggested using a valve, however, a
valve
is good enough to get the credentials via picking the request-parameters,
but I found no way of changing the saved URL in j_security_check without
subclassing and patching catalina.jar
Btw., I did that for Tomcat 5.0.28
Hope that helps!
Greg
--
Fugro Robertson Limited Telephone: +44+ (0)1492 581811
Tyn-y-coed Site Fax: +44+ (0)1492 583416
Llanrhos
Llandudno
North Wales
UK LL30 1SA
General Email: [EMAIL PROTECTED]
World Wide Website: www.fugro-robertson.com
********************************************************************
* This email may contain confidential and privileged information *
* intended solely for the individual or organisation to whom it is *
* addressed. If the reader is not the intended addressee, or the *
* employee or agent responsible to deliver it to the addressee, *
* you are hereby notified that any dissemination, distribution or *
* copying is strictly prohibited. If you have received this email *
* in error, please notify the sender and either destroy the email *
* or return it to [EMAIL PROTECTED] *
* Please note this email is not intended to create legal relations.*
********************************************************************
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
