Taavi Tiirik (t...@ibs.ee)

Profile | Posts (1)

User Information

Display Name:

Taavi Tiirik

Partial Email Address:

t...@ibs.ee

Posts:

1	total
1	in tomcat-user@jakarta.apache.org

3 Most Recent

1) Taavi Tiirik blocking access using filter

+1 vote

Hey, I need more sophisticated access control for certain documents than JDBCRealm provides. These...

tomcat-user@jakarta.apache.org

[ Profile | Reply to group ]

[ Flat Thread Threaded ]

Hey,

I need more sophisticated access control for certain
documents than JDBCRealm provides. These documents
reside in separate directory tree and they are
served by standalone tomcat 4. I have mapped an
'access control filter' to listen to all requests to
this directory. Filter should behave like this:

1. If user is not logged in or if the session has
timed out then it should open login page and after
successful login it should try to access the very
same request (ie. the same document).

/ I am using getRemoteUser() to determine if user
is logged in. /

2. Filter performs a database lookup and decides if
given user can access this document.

/ This step is easy and I can live with extra
overhead needed for database query. /

3. If user does not have rights to access this
document then filter should send error 404 (no such
document).

/ This can be achieved using:
  response.sendError( HttpServletResponse.SC_NOT_FOUND ); /

4. Do nothing... ie. user will get this document.

/ 'do nothing' actually means calling next filter in
  chain like this:
  chain.doFilter( request, response ); /


I have figured out all steps but the very first one.
What should I do in filter in order to make tomcat
to use it's standard authentication mechanism
(JDBCRealm, form based login in my case) so
the user could log in and still get required document?

Please, any help is appreciated. I will happily donate
this filter back to the group if I get it working and
if there is interest.

thanks in advance,
Taavi

2) Taavi Tiirik RE: Loggin out using JDBC realms

+1 vote

Tam, You can use javascript to fire session.invalidate() in case the user closes browser window...

tomcat-user@jakarta.apache.org

[ Profile | Reply to group ]

[ Flat Thread Threaded ]

On Fri, 31 Aug 2001, PHAM,TAM (HP-Vancouver,ex1) wrote:
> Regarding logging out of JDBC realms.  This does not seem ideal if I
> have to explicitly call session.invalidate() when the user logs out.

Tam,

You can use javascript to fire session.invalidate() in case the
user closes browser window (ie. does not use you log-out link).

And regarding automatic expiration after given period of time
you should be able to put following in your web.xml:

<session-config>
  <session-timeout>30</session-timeout> <!-- timeout in minutes -->
</session-config>

If you want to run your own code in case of automatic session
expiration then I hope this article helps:
http://w6.metronet.com/~wjm/tomcat/2001/Jan/msg00703.html

with best wishes,
Taavi

3) Taavi Tiirik Re: Loggin out using JDBC realms

+1 vote

Call session.invalidate() and it does the trick. with best wishes, Taavi

tomcat-user@jakarta.apache.org

[ Profile | Reply to group ]

[ Flat Thread Threaded ]

> when using security realms, more specifically JDBC realms,
> how do you log-out?

Call session.invalidate() and it does the trick.

with best wishes,
Taavi

Highlight

Profile | Posts (1)

Home > People > Taavi Tiirik