Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark,
On 11/18/2009 11:42 AM, Mark Thomas wrote:
João Nuno Silva wrote:
Hi, this is my first question to the list so please be gentle :)
My question is about a Tomcat feature available when using container
managed authentication. If a user requests a protected resource, Tomcat
first authenticates the user and then processes the initial request
whether it's a GET or a POST. I've been doing an in-house authentication
mechanism which tries to mimic this functionality.
I'm having a bit of trouble replicating the POST requests after
successful user authentication. I've managed to replicate GET requests
by doing a forward or a sendRedirect to the pre-authentication URL but
with a POST things get harder. Is there any way to achieve this without
using container managed authentication?
Maybe. If I recall correctly, I implemented that using access to the
Tomcat internals. You may be able to do this with just the Servlet API
but I didn't try.
This should be possible as long as you can save the entire request,
including headers and body.
What if that POST also included
one file upload, would that make it impossible to replicate the request?
No. You just read the input, save it and replay it later.
+1
Note that "replay" basically means that a new request object must be
created and used to forward the request using the request dispatcher to
the intended target.
I can't remember right this second, but I think the servlet spec says
something like "you aren't allowed to substitute one request for
another", so you may have to wrap the real request (the one carrying a
successful login) with one that basically re-writes everything.
Something doesn't seem right about that, but João should read the
servlet specification very carefully to make sure that his solution is
compliant.
From what I've seen in the FormAuthenticator class Mark pointed me to,
Tomcat doesn't create a new request, instead it fills it's fields with
the values from the previous request. I'll try this in the near future
and let you guys know how it went. Thanks!
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksEM/sACgkQ9CaO5/Lv0PANbQCgrvnL+Dni4QlBrvLPRVz3yzMN
3tcAoKGndwTB6dsv2e3VWxC8Mnaqtykr
=vD6C
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
