Milo, On 10/28/15 4:12 AM, Milo van der Zee wrote: > With request I mean the 'org.apache.catalina.connector.Request' but this > implements 'javax.servlet.http.HttpServletRequest'. So, one and the same > thing for my situation. > And I don't only want access to that information during authentication > but it can also be used to pass information from the authentication to > the rest of the application. Like storing the password in the > subject.privateCredentials... This is needed in some rare cases where > the server has to do some kind of proxy login to another service based > on the client credentials. > Or using the usersession for misc info. > > I'll have a look into the JASPIC discussion. Thanks. A valve looks > simpler though... (but Tomcat specific)
If you are okay with writing your own Valve, you could just use a ThreadLocal and stuff whatever you want in there. Be very careful that you ALWAYS remove the ThreadLocal after the request completes, otherwise you risk security problems AND potential request/response staleness, crashes down the line, etc. -chris > On 10/27/2015 08:17 PM, Christopher Schultz wrote: >> >> On 10/25/15 9:40 AM, Milo van der Zee wrote: >>> Hello, >>> >>> There are some default valves available with Tomcat. None of these >>> expose the request to later phases in the request cycle. Is it an idea >>> to add a valve that does this? And make this available through a >>> callback in the jaas loginModule. Just like WebLogic and Websphere do >>> it. Or just use a static threadlocal variable in the valve with a static >>> getter. >>> >>> Why? >>> If the jaas login module needs to communicate anything to the filter or >>> other request phases this is needed. When the request is available this >>> info can (for example) be added to the session. >>> Or when someone wants to use request info for jaas authentication this >>> could also be used. >>> >>> Thanks for any ideas or comments. >> Are you asking about access to the internal Tomcat "Request" object, or >> are you asking about the HttpServletRequest? >> >> I know it's inconvenient in Tomcat authenticators not to be able to get >> things like the remote user's IP address -- for example, to log a failed >> login attempt. >> >> There is some discussion going on right now about using JASPIC as an >> authentication API; perhaps you could join that discussion and advocate >> for access to some of this information. >> >> I would certainly be interested in having access to information from the >> user's request during authentication. >> >> -chris >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
