-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian,
On 9/4/2010 11:42 AM, Brian McBride wrote: > On 04/09/2010 15:27, Jason Britton wrote: >> I would look at a servlet filter to provide this sort of dynamic access >> control. > That's what I'm doing. The filter needs to know the user id - and I was > hoping to resuse Tomcat's authentication mechanism for that. But I > don't think I can :( Here's something you can do. Write a filter that you attach to URLs that /are/ used for authentication, and then copy the user's username into the session. In your authentication filter, use the username stored in the session instead of calling request.getRemoteUser. Alternatively, you can wrap the request in your own wrapper and override getRemoteUser to get the username from the session if it's not available from the request. I'm sure there are some edge cases where an authenticated user might end up looking like a "guest", but you cna probably solve those. If you always use HTTP Authentication (it wasn't clear what was really going on, with all that talk about DIGEST authentication), then you can always get the username from the request headers. In that case, your filter can use that as a source of authentication data, too. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkyJK9sACgkQ9CaO5/Lv0PCyBwCfexhjBY+HPaAkrKgxonWjY/Xs kyEAn3OvtkaAdgoruHvSkn2oEt5HFl6z =dnvR -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
