File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes Set user principal in a filter Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "Set user principal in a filter" Watch "Set user principal in a filter" New topic
Author

Set user principal in a filter

Bobby Anderson
Ranch Hand

Joined: Oct 28, 2008
Posts: 114
Can I implement a filter which sets the current principal, so that calls to request.getUserPrincipal() work?

An apache server in front of tomcat authenticates my client and delegates a certificate as an http header attribute. I want to read this certificate create a custom principal (which holds the certificate) and set this new user principal in a filter. Can I do this?
Travis Hein
Ranch Hand

Joined: Jun 06, 2006
Posts: 161
Sure you can. I have done this with a request wrapper and a filter for times when I want to make my web application handle the login and role assignment.

Here I override the getUserPrincipal and isUserInRole


and then in the filter,



This is handy when wanting to have the application work in different container environments,


Error: Keyboard not attached. Press F1 to continue.
Pat Gonzalez
Greenhorn

Joined: Oct 18, 2009
Posts: 19
If you don't feel like writing any code to set the user principal, take a look at this open source library...

http://spnego.sourceforge.net

It will set the current principal so that your call to getUserPrincipal() will work.

This project has a bunch of examples to make it as easy as possible to get up an running.
Krem Reid
Greenhorn

Joined: Sep 07, 2009
Posts: 28
How do you get the filter to be called before the Realm security kicks in?

The filter is called but only after the user has authenticated



Backlink Service - High PageRank Backlinks to have you flying up through the SERP
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Request's don't need to be authenticated for filter code to run.

JavaRanch FAQ HowToAskQuestionsOnJavaRanch
Krem Reid
Greenhorn

Joined: Sep 07, 2009
Posts: 28
I'm a little confused can you help me straighten this out.

I'm using Struts2

I have a jsp that users fill out to register. This goes to my action class which registers the user.
Then the user is forwarded to a "customer action" which has a security constraint



I have the filter put on all /customers



The security constraint is being throw up before the Filter is activated.

I'm using Realm based security.

Where am I going wrong?

Thanks
Travis Hein
Ranch Hand

Joined: Jun 06, 2006
Posts: 161
Right, this filter to fetch the authenticated user's role would be mapped to urls of the pages you want protected.

The login page should not be protected by this user role filter, so as to allow the login handler retrieve the user profile and stuff it into session attributes, or how ever you implemented my sample above filter to find the user information to stuff it into the UserRoleRequestWrapper

Additionally, since this filter only makes the user principle available, but does not do any policing logic, perhaps another filter that is also mapped to these role protected pages after this one, that would redirect you to the login page if the user principal is not found in the request, or display an error if the user does not have sufficient role privileges.
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Presumably the filter does not apply to the request for authentication. Make your filter match all requests and it should be hit.
Krem Reid
Greenhorn

Joined: Sep 07, 2009
Posts: 28
Even when changing the URL pattern to <url-pattern>/*</url-pattern>

The Realm Security still kicks in before the Filter

Travis Hein
Ranch Hand

Joined: Jun 06, 2006
Posts: 161
In that case, if you are using that web.xml security role policy things, you might need to find some kind of container provided mechanism to ensure the request object has the user principal and roles populated before the web application is invoked.

That is, one of the realm implementations that come with tomcat (see http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html) so the user is authenticated and roles are populated into the request before your webapp is invoked.

I created my filter as a work around to having to make use of the container provider realms. Where I stuff in the user principle and roles into the request object with this filer, after I have looked them up in my own mechanism. This was suitable for my use as the application also worked with a 'profile manager' outside of a web application container, so I didn't want to get into contain-specific realm configurations.

Though that also likely makes this filter not compatible with standard web.xml realm and security configurations.
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

Interesting. I'm currently (coincidently) debugging through an application that hits the filter first (since all requests to a web applciation, including the request for authentication, are routed through my filter). Not sure what you could be doing different.
Krem Reid
Greenhorn

Joined: Sep 07, 2009
Posts: 28
You would think this is a problem that others have run into before but I can't seem to find anything on the net.

I'm starting to think making the users login after registration is just fine!
 
wood burning stoves
 
subject: Set user principal in a filter
 
Similar Threads
getUserPrincipal returns user ID differently
User impersonation using Filters/Cookies
how to let Java login tomcat form authorization
@RunAs Application
Implementing custom Realm to inject user Principals