You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Dr. Evil" <dr...@sidereal.kz> on 2001/10/18 11:04:05 UTC
Using a servlet for authorization
I am trying to use a servlet for authorization like this:
There is a servlet called authservlet which checks to see if there is
a valid user object in the session state. Here is how it is used:
I have a directory called /secure with a bunch of .jsp files in it.
There is a mapping in web.xml:
<servlet-mapping>
<servlet-name>
authservlet
</servlet-name>
<url-pattern>
/secure/*
</url-pattern>
</servlet-mapping>
Every time someone tries to request a page like /secure/hello.jsp, the
request is instead handed to authservlet. That part is working fine.
authservlet gets the request and can decide what to do with it.
The problem is that I am trying to get authservlet to pass the request
back to the jsp by doing something like this:
RequestDispatcher rd =
request.getRequestDispatcher("/secure/hello.jsp");
rd.forward(request, response);
where in this case I have hard-coded in hello.jsp as the target, just
for testing (obviously I will replace this with something which looks
at what the real url is).
The problem is, when I then try to load /secure/hello.jsp, it looks
like the server goes into an infinite loop. It never returns the page
and I end up with a bunch of catalina processes running, which I have
to kill -9 to get rid of.
I'm sure I'm making some simple mistake here. Any sugestions?
Thanks
Figured it out (was Re: Using a servlet for authorization)
Posted by "Dr. Evil" <dr...@sidereal.kz>.
This...
> <servlet-mapping>
> <servlet-name>
> authservlet
> </servlet-name>
> <url-pattern>
> /secure/*
> </url-pattern>
> </servlet-mapping>
and this
> RequestDispatcher rd =
> request.getRequestDispatcher("/secure/hello.jsp");
> rd.forward(request, response);
were causing a horrible loop. I didn't realize that Tomcat would run
the servlet mappings on the args to getRequestDispatcher, but it
does. The solution is simple: make the url-pattern something else,
like securepages, and then it can serve the files out of the /secure/
directory.
This is going to be a fantasticly useful auth method once I get it all
working. Yet again, I find that tomcat is enormously powerful and has
a steep learning curve. The two go together I guess.
Re: Using a servlet for authorization
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On 18 Oct 2001, Dr. Evil wrote:
> Date: 18 Oct 2001 09:04:05 -0000
> From: Dr. Evil <dr...@sidereal.kz>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Using a servlet for authorization
>
>
> I am trying to use a servlet for authorization like this:
>
> There is a servlet called authservlet which checks to see if there is
> a valid user object in the session state. Here is how it is used:
>
> I have a directory called /secure with a bunch of .jsp files in it.
>
> There is a mapping in web.xml:
>
> <servlet-mapping>
> <servlet-name>
> authservlet
> </servlet-name>
> <url-pattern>
> /secure/*
> </url-pattern>
> </servlet-mapping>
>
> Every time someone tries to request a page like /secure/hello.jsp, the
> request is instead handed to authservlet. That part is working fine.
> authservlet gets the request and can decide what to do with it.
>
> The problem is that I am trying to get authservlet to pass the request
> back to the jsp by doing something like this:
>
> RequestDispatcher rd =
> request.getRequestDispatcher("/secure/hello.jsp");
> rd.forward(request, response);
>
> where in this case I have hard-coded in hello.jsp as the target, just
> for testing (obviously I will replace this with something which looks
> at what the real url is).
>
> The problem is, when I then try to load /secure/hello.jsp, it looks
> like the server goes into an infinite loop. It never returns the page
> and I end up with a bunch of catalina processes running, which I have
> to kill -9 to get rid of.
It's not the server that went into a loop -- it's your application.
The request dispatcher mechanism uses the same servlet mappings that are
used on the original request. Therefore, the request dispatcher for
"/secure/hello.jsp" will select your authentication servlet again, which
will get another request dispatcher, which will ...
The solution to this problem, at least in a Servlet 2.3 environment (like
Tomcat 4), is to use a Filter for performing this kind of authentication.
There was a thread on this over the last couple of days on TOMCAT-USER --
check the archives for some good ideas.
>
> I'm sure I'm making some simple mistake here. Any sugestions?
>
> Thanks
>
Craig