Just for comparison, I downloaded the Tomcat 7.0 branch (because it is my understanding that that is where the new servlet 3.0 is implemented, maybe I'm wrong?) and the Request class has a different authenticate method
JBossWeb has its own implementation of Servlet 3.0.
BTW: I am afraid the Tomcat code will throw a NullPointerException in your case.
Or am I just missing something?
It seems you need to configure the authenticator and/or have a constraints in the webapp you are using.
It seems you need to configure the authenticator and/or have a constraints in the webapp you are using
In my context.xml file, I define a Valve
<Valve className="com.mycompany.auth.MyValve" />
Doesn't this become my configured authenticator for the context? MyValve extends AuthenticatorBase which implements Authenticator. It is a valid authenticator.
I have also tried numerous changes in the web.xml with and without constraints. But it is my understanding that one of the reasons for this functionality is to remove the dependency of having constraints and just allowing a dynamic login.
Anyway, here is my current web.xml:
<display-name>Security Constraints with Authorization</display-name>
<description>Authorized user roles</description>
Maybe JBoss has sample code that shows how this works? Or maybe there is a different way to configure an authenticator?
Ok. I have found a way to get it to work but it has become unnecessarily complex.
In the Valve::start() method, if I add
then it works. The real problem is that the setAuthenticator method only exists in the new servlet 3.0 so it can't be assumed to be there, which means you have to create a way to handle this.
I guess what I was expecting was something like this:
<Valve className="com.mycompany.auth.MyValve" setAuthenticator="true"/>
Then it is easy to configure and the Valve can easily throw any values it doesn't recognize (for code that predates the setAuthenticator stuff)
Is this the expected way of handling this? Is there a better way?
Sean Whyte wrote:
Does this help http://community.jboss.org/message/532453 (I don't know if that thread applies to programatic authentication).
Unfortunately, not quite the same. A context can now have a default Authenticator associated with it, which is what I am trying to accomplish. The new 'setAuthenticator()' method appears to be specific to the JBossWeb implementation as no such method exists in the Tomcat code (even Tomcat7)
My suggestion would be for JBoss to provide a more elegant way of configuring this, much like the login-config.xml is used as a better way to configure where Tomcat requires a jaas.conf file. I think it would be nice to provide this in the context.xml file like I suggested earlier.
Do any of the JBossWeb developers ever see suggestions from here?
hm if you use a programatic logic in valves I think it makes more sense to program all instead mixing configuration file and program, no?
See JBossWeb SVN: r1499 - trunk/java/org/apache/catalina/startup... I think that is what you need, you will have in M4
Yes, I think that is it. The ContextConfig class has a method authenticatorConfig() which will configure a Valve that implements Authenticator as the default authenticator.
I will look forward to trying the M4 release.