You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Dr. Evil" <dr...@sidereal.kz> on 2001/10/18 11:04:05 UTC

Using a servlet for authorization

I am trying to use a servlet for authorization like this:

There is a servlet called authservlet which checks to see if there is
a valid user object in the session state.  Here is how it is used:

I have a directory called /secure with a bunch of .jsp files in it.

There is a mapping in web.xml:

   <servlet-mapping>
      <servlet-name>
        authservlet
      </servlet-name>
      <url-pattern>
        /secure/*
      </url-pattern>
   </servlet-mapping>

Every time someone tries to request a page like /secure/hello.jsp, the
request is instead handed to authservlet.  That part is working fine.
authservlet gets the request and can decide what to do with it.

The problem is that I am trying to get authservlet to pass the request
back to the jsp by doing something like this:

        RequestDispatcher rd =
        request.getRequestDispatcher("/secure/hello.jsp");
        rd.forward(request, response);

where in this case I have hard-coded in hello.jsp as the target, just
for testing (obviously I will replace this with something which looks
at what the real url is).

The problem is, when I then try to load /secure/hello.jsp, it looks
like the server goes into an infinite loop.  It never returns the page
and I end up with a bunch of catalina processes running, which I have
to kill -9 to get rid of.

I'm sure I'm making some simple mistake here.  Any sugestions?

Thanks

Figured it out (was Re: Using a servlet for authorization)

Posted by "Dr. Evil" <dr...@sidereal.kz>.

This...

>    <servlet-mapping>
>       <servlet-name>
>         authservlet
>       </servlet-name>
>       <url-pattern>
>         /secure/*
>       </url-pattern>
>    </servlet-mapping>

and this

>         RequestDispatcher rd =
>         request.getRequestDispatcher("/secure/hello.jsp");
>         rd.forward(request, response);

were causing a horrible loop.  I didn't realize that Tomcat would run
the servlet mappings on the args to getRequestDispatcher, but it
does.  The solution is simple:  make the url-pattern something else,
like securepages, and then it can serve the files out of the /secure/
directory.

This is going to be a fantasticly useful auth method once I get it all
working.  Yet again, I find that tomcat is enormously powerful and has
a steep learning curve.  The two go together I guess.

Re: Using a servlet for authorization

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On 18 Oct 2001, Dr. Evil wrote:

> Date: 18 Oct 2001 09:04:05 -0000
> From: Dr. Evil <dr...@sidereal.kz>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: Using a servlet for authorization
>
>
> I am trying to use a servlet for authorization like this:
>
> There is a servlet called authservlet which checks to see if there is
> a valid user object in the session state.  Here is how it is used:
>
> I have a directory called /secure with a bunch of .jsp files in it.
>
> There is a mapping in web.xml:
>
>    <servlet-mapping>
>       <servlet-name>
>         authservlet
>       </servlet-name>
>       <url-pattern>
>         /secure/*
>       </url-pattern>
>    </servlet-mapping>
>
> Every time someone tries to request a page like /secure/hello.jsp, the
> request is instead handed to authservlet.  That part is working fine.
> authservlet gets the request and can decide what to do with it.
>
> The problem is that I am trying to get authservlet to pass the request
> back to the jsp by doing something like this:
>
>         RequestDispatcher rd =
>         request.getRequestDispatcher("/secure/hello.jsp");
>         rd.forward(request, response);
>
> where in this case I have hard-coded in hello.jsp as the target, just
> for testing (obviously I will replace this with something which looks
> at what the real url is).
>
> The problem is, when I then try to load /secure/hello.jsp, it looks
> like the server goes into an infinite loop.  It never returns the page
> and I end up with a bunch of catalina processes running, which I have
> to kill -9 to get rid of.

It's not the server that went into a loop -- it's your application.

The request dispatcher mechanism uses the same servlet mappings that are
used on the original request.  Therefore, the request dispatcher for
"/secure/hello.jsp" will select your authentication servlet again, which
will get another request dispatcher, which will ...

The solution to this problem, at least in a Servlet 2.3 environment (like
Tomcat 4), is to use a Filter for performing this kind of authentication.
There was a thread on this over the last couple of days on TOMCAT-USER --
check the archives for some good ideas.

>
> I'm sure I'm making some simple mistake here.  Any sugestions?
>
> Thanks
>

Craig