You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "R.W. Shore" <sh...@earthlink.net> on 2003/10/31 17:07:30 UTC

Request for a change

I'm running in an environment in which I sometimes need to authenticate
based on both location (IP address, say) and credential (uid/pwd). To make
this work, I need to have access to the remote address and/or host from the
HTTP request hitting the protected subweb. This information isn't available
if I've got BASIC authentication turned on (and probably not other
authentication strategies either, though I haven't looked at them lately).
To support what I need to do, I need to have a slight modification made to
org.apache.catalina.authenticator.BasicAuthenticator. The modified source is
attached from the 4.1 source archive. The strategy is the following:

o Add the following static declarations to the class:
	public static final ThreadLocal REQUEST_ADDRESS = new ThreadLocal();
	public static final ThreadLocal REQUEST_HOST = new ThreadLocal();
These give me a place to stick the address and host name from the incoming
request.

o Modify the authenticate() method in the vicinity of line 160 to look like
the following (*** represents added lines):
        // Validate any credentials already included with this request
        HttpServletRequest hreq =
            (HttpServletRequest) request.getRequest();
        HttpServletResponse hres =
            (HttpServletResponse) response.getResponse();
        String authorization = request.getAuthorization();
        String username = parseUsername(authorization);
        String password = parsePassword(authorization);
***     REQUEST_ADDRESS.set(hreq.getRemoteAddr());
***     REQUEST_HOST.set(hreq.getRemoteHost());
        principal = context.getRealm().authenticate(username, password);
***     REQUEST_ADDRESS.set(null);
***     REQUEST_HOST.set(null);

The first pair of added lines caches the remote address and host name in the
thread-local variables. BasicAuthenticator then calls the realm's
authenticate() method as it always does, preserving the interface to
existing realm implementations. However, a suitably modified realm
implementation can now get the address or host from the BasicAuthenticator
variables and make the values available to the authentication mechanism as
appropriate. For example, I've modified a few classes in the JBoss
environment to be able to use these static thread-local values, so I can
have a JAAS LoginModule implementation that validates location and adds
appropriate roles for a user.

=========
R.W. Shore
Templar Corporation
shoreel@earthlink.net
7035054451@mobile.mycingular.com (short txt)
(703)505-4451 (cell, marginal quality)
(540)858-3487 (also the modem line)