Re: tomcat-5.0.27 authentication/authorization

From: Daniel Rohe (daniel.rohe_at_stud.tu-ilmenau.de)
Date: 01/27/05 

Date: Thu, 27 Jan 2005 09:42:09 +0100

Hello mate,

"mate" <mate_markovic_os@yahoo.com> schrieb im Newsbeitrag
news:ct91dr$orh$1@ls219.htnet.hr...
>>> To make something similar like FORM but with my JSP field name and my
>>> action instead of j_security_check.
>>>
>>> Do you know how to do this?
>>
>> Here you have a problem! Look at the servlet specification 2.3 page 83.
>> Under SRV.12.5.3 are the field names j_username and j_password for a
>> form-based authentication specified.
>
> I know that and I want to have my field names and my action.
> Servlet server make this somehow and if "he" can could can also!
> But I dont know how!
> I did check Tomcat source but I was found j_security_checkin two files and
> this files are C++ (?) files!!!

Which Tomcat version. I have version 5.0.29 and in the class
org.apache.catalina.authenticator.FormAuthenticator is the form login
implemented. This class uses org.apache.catalina.authenticator.Constants
where the constants (j_username etc) are defined.

>
> What do yu think?
> Is it possible to do this?

Everything is possible ;-)! But how much does it cost.

If you don't use an application server and don't want to propagate the
authentication to it then you could implement your own authentication and
authorization. You should store user information in the session and use a
listener to check authentication and authorization. But you must implement
all the authentication and authorization stuff by your own ;-(.
The listener will check the session and if it founds the user information in
the session it will do nothing. If it founds no user information in the
current request and the request is not the login page, it must store the
current request and forward to the login page. After the user has entered
his authentication information in the login page he presses a button. Then
the listener must authenticate the user and forward to the old request.

With built-in authentication you can do something like the following:
You talk about action, so I think you use Struts as web framework. Wy don't
you make a login action that redirects to a restricted area. Because of the
restricted area tomcat checks the internal session, to see if authentication
was performed. If not it displays the login-page (with j_username,
j_password and j_security_check). After authentication it redirects to the
original url. There can be an action which redirects to the first page. You
can then get the authentication information from the request via
request#getUSerPrincipal(). If the principal object is null no
authentication was performed. Otherwise the principal#getName() contains the
username. With request#isUserInRole() you can check if the authenticated
user has the given role.

Greetings
Daniel