KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > org > openi > security > tomcat > LoginValve


1 /*********************************************************************************
2  * The contents of this file are subject to the OpenI Public License Version 1.0
3  * ("License"); You may not use this file except in compliance with the
4  * License. You may obtain a copy of the License at
5  * http://www.openi.org/docs/LICENSE.txt
6  *
7  * Software distributed under the License is distributed on an "AS IS" basis,
8  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for
9  * the specific language governing rights and limitations under the License.
10  *
11  * The Original Code is: OpenI Open Source
12  *
13  * The Initial Developer of the Original Code is Loyalty Matrix, Inc.
14  * Portions created by Loyalty Matrix, Inc. are
15  * Copyright (C) 2005 Loyalty Matrix, Inc.; All Rights Reserved.
16  *
17  * Contributor(s): ______________________________________.
18  *
19  ********************************************************************************/

20 package org.openi.security.tomcat;
21
22
23
24 import java.io.IOException JavaDoc;
25
26 import javax.servlet.ServletException JavaDoc;
27 import javax.servlet.http.HttpServletRequest JavaDoc;
28 import javax.servlet.http.HttpServletResponse JavaDoc;
29
30 import org.apache.catalina.Request;
31 import org.apache.catalina.Response;
32 import org.apache.catalina.ValveContext;
33 import org.apache.catalina.valves.ValveBase;
34
35 /**
36  * @author dpokhrel
37  *
38  * A <strong>Valve</strong> that hooks up j_security_check request and sets
39  * j_password in session.
40  * <strong>Reasons:</strong>
41  * <ul>
42  * <li>application requires user cridential to connect with XMLA web service if basic
43  * authentication is enable</li>
44  * <li>User name can be accessed from request object but there is no such a
45  * standard way to retrieve password.</li>
46  * <li> application is using Form based authetication and authentication is done by
47  * tomcat itself. Form based authetication is done by sending "j_security_check"
48  * request with "j_username" and "j_password" parameter. The simple idea to grab
49  * password is to filter the "j_security_check" and store the j_password in some
50  * variable by using Servelt Request Filter. But in the case of "j_security_check"
51  * the servlet filter does not work at all(This is because the servlet spec
52  * strongly recommended that the "j_security_check" should not be processed by
53  * Application. The processing of this request should be implemented in Container)
54  * The other ideas like creating a simple intermidiate request filter to store
55  * the j_paswword and then redirect to j_security_check. But The problem
56  * of using this approach is that RequestDispatcher does not work for
57  * "j_security_check". Also sendRedirect() method depends on browser for
58  * redirection which creates a security hole to see j_security_check request string(with embeded
59  * j_password) from browser.</li>
60  * </ul>
61  * So with above constraints, the possible way is to use container to solve the
62  * above problem. With sacrifing portabily to deploy on different servlet
63  * container, we came up with the valve based solution supported by tomcat.
64  * The valve is similar as RequestFilter used in application. The container always
65  * called invoke method of each valve available in valve chain. Our valve just
66  * check the request for "j_security_check". If so, it retrieves j_password and sets in
67  * session.
68  * To use this valve :
69  * <ul>
70  * <li> compile and create a jar</li>
71  * <li> copy jar to TOMCAT_ROOT/server/lib folder</li>
72  * <li> add the following property in <engine> section of server config file
73  * "TOMCAT_ROOT/conf/server.xml":
74  * <Valve className="org.openi.security.tomcat.LoginValve" />
75  * </ul>
76  *
77  */

78
79 public class LoginValve
80     extends ValveBase{
81
82
83
84
85     /**
86      * Return descriptive information about this Valve implementation.
87      */

88     public String JavaDoc getInfo() {
89
90         return "org.openi.security.tomcat";
91
92     }
93
94     /**
95      * process the request and test whether it is j_security_check or not.
96      * If so, it stores j_password request parameter to a session variable
97      * "user.credentials". Which is later used by application to connect with XMLA web
98      * service.
99      * @param request Request
100      * @param response Response
101      * @param context ValveContext
102      * @throws IOException
103      * @throws ServletException
104      */

105
106     public void invoke(Request JavaDoc request, Response JavaDoc response,
107                        ValveContext context)
108         throws IOException JavaDoc, ServletException JavaDoc {
109
110
111         if (!(request instanceof HttpServletRequest JavaDoc) ||
112             !(response instanceof HttpServletResponse JavaDoc)) {
113             context.invokeNext(request, response);
114             return;
115         }
116         HttpServletRequest JavaDoc hreq =
117             (HttpServletRequest JavaDoc) request.getRequest();
118         HttpServletResponse JavaDoc hres =
119             (HttpServletResponse JavaDoc) response.getResponse();
120
121        if(hreq.getRequestURI().indexOf("j_security_check")!=-1)
122        {
123
124            String JavaDoc password=hreq.getParameter("j_password");
125            hreq.getSession().setAttribute("user.credentials",password);
126
127        }
128
129         context.invokeNext(request, response);
130         return;
131
132
133
134     }
135
136
137 }
138
139
Popular Tags