struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Struts/Container-Managed Authentication Question
Date Fri, 19 Jul 2002 16:31:40 GMT

On Fri, 19 Jul 2002, Mete Kural wrote:

> One question about your filter: Is it possible to
> somehow tie it up to container-managed security? I
> know that you provide all the methods such as
> userInRole() etc. but if you're on an EJB platform the
> container has to be user-aware also. Is it possible to
> add a feature to your filter that makes the container
> user-aware? If you would like any help to implement
> something like that, I could help. I've been wanting
> to do some open-source work but so far I've only been
> using them. And also it would be good for my resume
> since I need to find a job pretty soon.

It would be easy for a filter to "fake" the security related methods like
getRemoteUser(), getUserPrincipal(), and isUserInRole(), because it can
create a request wrapper around the original request and override these
methods.  However, it really is fake, and has nothing to do with the
container managed security (for either web security contraints or EJB
identity).  By the time the filter is invoked, the container has already
obeyed any security constraints you have defined.

Filters have no more magic powers in this regard than servlets do.  If you
need to authenticate your users for the EJB layer, you have to use
container managed security, or modify your container's implementation by
doing something like writing a custom Authenticator for Tomcat (which is
obviously not going to be portable, and you're stuck maintaining system
level code).

> Thanks,
> Mete


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message