Hello Chris,
That is what I did but I expect a lot of people to have this problem.
Seeing a lot of default valves included I would like to also have this
valve as default.
public class RequestValve extends ValveBase {
/**
* Session for current thread.
*/
static InheritableThreadLocal<Request> requestHolder = new
InheritableThreadLocal<>();
@Override
public void invoke(Request request, Response response) throws IOException,
ServletException {
requestHolder.set(request);
try {
getNext().invoke(request, response);
} finally {
requestHolder.remove();
}
}
public static Request getRequest() {
return requestHolder.get();
}
}
MAG,
Milo
On 10/28/2015 08:57 PM, Christopher Schultz wrote:
Milo,
On 10/28/15 4:12 AM, Milo van der Zee wrote:
With request I mean the 'org.apache.catalina.connector.Request' but this
implements 'javax.servlet.http.HttpServletRequest'. So, one and the same
thing for my situation.
And I don't only want access to that information during authentication
but it can also be used to pass information from the authentication to
the rest of the application. Like storing the password in the
subject.privateCredentials... This is needed in some rare cases where
the server has to do some kind of proxy login to another service based
on the client credentials.
Or using the usersession for misc info.
I'll have a look into the JASPIC discussion. Thanks. A valve looks
simpler though... (but Tomcat specific)
If you are okay with writing your own Valve, you could just use a
ThreadLocal and stuff whatever you want in there. Be very careful that
you ALWAYS remove the ThreadLocal after the request completes, otherwise
you risk security problems AND potential request/response staleness,
crashes down the line, etc.
-chris
On 10/27/2015 08:17 PM, Christopher Schultz wrote:
On 10/25/15 9:40 AM, Milo van der Zee wrote:
Hello,
There are some default valves available with Tomcat. None of these
expose the request to later phases in the request cycle. Is it an idea
to add a valve that does this? And make this available through a
callback in the jaas loginModule. Just like WebLogic and Websphere do
it. Or just use a static threadlocal variable in the valve with a static
getter.
Why?
If the jaas login module needs to communicate anything to the filter or
other request phases this is needed. When the request is available this
info can (for example) be added to the session.
Or when someone wants to use request info for jaas authentication this
could also be used.
Thanks for any ideas or comments.
Are you asking about access to the internal Tomcat "Request" object, or
are you asking about the HttpServletRequest?
I know it's inconvenient in Tomcat authenticators not to be able to get
things like the remote user's IP address -- for example, to log a failed
login attempt.
There is some discussion going on right now about using JASPIC as an
authentication API; perhaps you could join that discussion and advocate
for access to some of this information.
I would certainly be interested in having access to information from the
user's request during authentication.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
