Form-based auth, session setup - a solution

[Josh Landin <jl...@cyntact.com>]

In case anyone else has the same question...

one solution I came up with is to create a request filter and map it to
the same pattern as the form-based auth. Here's the web.xml snipit:


<web-app>
    <filter>
      <filter-name>MemberLoginSetupFilter</filter-name>
      <filter-class>paperklip.session.MemberLoginSetupFilter</filter-class>
    </filter>
    <filter-mapping>
      <filter-name>MemberLoginSetupFilter</filter-name>
      <url-pattern>/member/*</url-pattern>
    </filter-mapping>
. . .


Then in the MemberLoginSetupFilter.doLogin() method I have:


if (!StringUtil.toString(httprequest.getRemoteUser()).equals("") &&
    !StringUtil.toString(httpsession.getAttribute(AttributeKeys.MEMBER_SESSION_KEY+".complete")).equals("true"))
{
  // Setup the session, db, etc as needed
  . . .
  . . .
  // Then flag the session as 'setup'
  httpsession.setAttribute(AttributeKeys.MEMBER_SESSION_KEY+".complete","true");
}

// Allow the request handling to continue on normally
chain.doFilter(request, response);



Seems to work fine, and the filter is not invoked when the original
"unauthorized" request comes in. The container simply notices the need for
auth, saves the original request as normal, and brings the user to the
login page. Once the user applies good credentials, the container forwards
them to the original request and the filter is applied prior to delivery
of that request.

--
Josh

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org