use JAASRealm to continue and use the app J2EE security model.
use the filter if you want to take over security and manage it yourself (no
'real' getUserPrincipal, run as the same user inside the app server)
my choice would be a custom realm.

regarding the j_security thing. this means you use container managed
security and the j_security stuff will only be sent through your login
form/dialog when a protected resource is accessed. invoking JAAS in the
filter will happen just before the container tries to authenticate your user
& pass so i cant see the benefit here.

-----Original Message-----
From: Ben Hill [mailto:ben.hill@(protected)]
Sent: Tuesday, May 18, 2004 12:40 PM
To: J2EE-INTEREST@(protected)
Subject: JAAS Authentication using Servlet Filter.


I'm trying to implement a servlet filter that intercepts requests to a
servlet and if the user is not authenticated, run the supplied username and
password through a JAAS authentication cycle. I'm using the Tomcat 4.x
server.

I would like to know how this process is done using the j_security_check as
I'd like to implement the same functionality. I wish to be able to JAAS
authenticate when the filter intercepts the request so that after the
authentication I can call request.isUserInRole(),
request.getUserPrincipal(),
request.getRemoteUser() etc.

After looking at the API docs at
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/catalina/docs/api/index.html
I have found the org.apache.catalina.realm.JAASCallbackHandler and suspected
that if I can find the realm, (set up as a JDBC realm in the server.xml),
and
then pass in the username and password to this callback handler - I can run
the .login() method somehow.

Any help would be appreciated, if you know of any howtos or docs, that would
be great!

Cheers,

Ben


********************************************************************

This email may contain information which is privileged or confidential. If
you are not the intended recipient of this email, please notify the sender
immediately and delete it without reading, copying, storing, forwarding or
disclosing its contents to any other person
Thank you

Check us out at http://www.btsyntegra.com

********************************************************************

===========================================================================
To unsubscribe, send email to listserv@(protected)
of the message "signoff J2EE-INTEREST". For general help, send email to
listserv@(protected)".

===========================================================================
To unsubscribe, send email to listserv@(protected)
of the message "signoff J2EE-INTEREST". For general help, send email to
listserv@(protected)".