-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen,
Stephen More wrote: > If I implement application-managed security ( I need to use cookies > for "Remember Me" ), is there a way to make it such that > HttpServletRequest.getRemoteUser() and > HttpServletRequest.isUserInRole(java.lang.String role) will respond > with values from the actual logged in user ? Yes... > In servlet 2.3, you can legally wrap a request (or response, for that > matter, but it's request that matters for this purpose) before > handing it on via RequestDispatcher. Indeed, you can set up a Filter > that gets control before the servlet does and plays the same game. > Therefore, you can modify what isUserInRole() or getUserPrincipal() > will return to the called servlet. Yes, this is how to do it. If you don't want to do it yourself, you can use securityfilter (http://securityfilter.sourceforge.net), which has already been written. You can hack it to meet your needs, but I think it also has "remember me" capability already built-in. If it doesn't, add it (and post a patch!). sf does authentication and authorization itself, so you may be able to replace your existing app-based security entirely with sf. I use it on my project with great success. Since the Principal object is accessible via the session, I can even perform "su"-style user impersonation for administrative users. > Now that it is 2007, is the Filter + RequestDispatcher still the way > to implement this or is there a better way ? Is there an example of > this somewhere out there ? The best example I can think of is securityfilter. > Other options I am thinking of: > - write my own Realm implementation I don't think the Realm has access to the request for authentication. It does for authorization, but not authentication, so I think you're out of luck. > ?? - stick with container-based security and find a way to make > cookies for "Remember Me" work. I think you're out of luck, here, too. Check out sf. I think you'll be pleasantly surprised. The code is very straightforward, too, though the documentation is a little thin. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHD3pR9CaO5/Lv0PARAmHqAKC4OyiDAGU4h+QYVwQK460KVwfXwgCgtgu+ O2WAEK258zAL3CJnPoIZl50= =j1VZ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
