Re: Setting a Request Attribute from a custom Realm

[Tim K <ti...@gmail.com>]

On Tue, Apr 13, 2021 at 9:22 PM Tim K <ti...@gmail.com> wrote:
>
> On Fri, Apr 9, 2021 at 7:48 AM Tim K <ti...@gmail.com> wrote:
> > As mentioned in that url, doing a pre-login of sorts before calling
> > HttpServletRequest.login() may be a workaround to accomplish this, but
> > then I would need to call my backend authentication service twice for
> > each login.
> >
> > -Tim
>
> I've been looking into this further.  Is it possible to completely
> disable or change the URL for the "j_security_check" to something else
> while still keeping form-login?  I want to write my own servlet to
> perform the login via HttpServletRequest.login() instead of putting
> the password verification logic in the realm so that I have scope to
> the request to display custom error messages back to the user.  I'll
> want the realm to be very generic, almost just creating a Principle
> for anything that hits it, but I want to ensure my custom login is the
> only thing that performs the login() for obvious reasons.
>
> -Tim

Bringing back this one as I never got any bites on it.  I'm still
faced with figuring out a solution.

If I only want to programmatically login the user via
HttpServletRequest.login(), how could I prevent users from just
directly POST-ing to j_security_check on their own and bypassing my
own login action?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org