Hello everybody, a jaas login module - the first one I've actually written - authenticates a user by connecting to an imap server and if the connection is established, the credentials are considered valid and the user is authenticated. (I've written about that in another mail last week I think.)
As yet everything is done by means of the j_security_check. But now two problems arise. The credentials are needed in serveral servlets, as the web app will be a mail application. According to the servlet specs (12.3 Programmatic Security) programmatic security constists of - getRemoteUser - isUserInRole - getUserPrinciple After using getUserPrinciple the application has to call doAs() (JAAS Authorizsation) and proceed the same code as the login module to retrieve the subject which stores the username and password (lc.getSubject(); subject.getPrivateCredentials()). Choosing this way means: 2 logins in every servlet. 1st login: to authenticate in order to call doAs(); 2nd login: to process the application code, like fetching messages, creating folders, etc. Is there any way by the means of tomcat to get the credentials that are delivered to j_security_check (initial login), in order to store them in the Session object? So I could ommit the extra server login for doAs() to retrieve the credentials that way. Or do I need to write an extra servlet to do that? I would then bypass j_security_check. The second problem is simple compared to the above: Where is the correct place for application defined configuration and how to access configuration values from within a servlet? Best Regards, Oliver Block --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
