3

Hey all, I'm using Tomcat 6.0.14 and would like to know to implement a system that would allow us to send users a link say mysite.com?token=12345678912334333(long string continued) but that would allow the user to be logged in automatically.

Improve this question
0

2 Answers 2

Reset to default
3

Unless you have other reasons specific to Tomcat, or you are unable to modify your web application, then it might be easiest to use a custom filter to do the authentication (JAAS or otherwise). For example:

With a custom filter, you could authenticate in whatever way you wanted to in a relatively straightforward way.

public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain chain) 
  throws IOException, ServletException {

    String token = request.getParameter("token");
    if (token != null) {
      doAuthentication(token);
    }

    chain.doFilter(request, wrapper);
}

You tagged with JAAS. That's different than just authenticating with a simple token, but if that's what you are looking for, are you familiar with Tomcat's JAASRealm? You would just have to write your own LoginModule to authenticate the token.

It probably goes without saying that using token based login via E-mail is inherently insecure, and so is not appropriate for all types of applications.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I actually was looking at JAASRealm, but with that I'm not sure how to set request.getRemoteUser. It appears that this Securityfilter.org solution some how does it. I could change our sites authentication to use request.getPrincipal pretty easily. Just wondering if there's an easy way of writing request.getRemoteUser() I guess
The request.getRemoteUser was meant for retrieving authentication as provided by the container(Tomcat). JAAS is different. It's difficult to programmatically feed the JAAS authenticated user/principal/subject back to the container so that getRemoteUser can be used. In Tomcat, I think it requires writing a custom valve or some other low level hook. Unless you really need getRemoteUser, it might be easier to store the user/principal/subject in the session yourself and retrieve it directly from the session where needed in your servlet code.
0

I guess you have to implement the logic by yourself, i.e. the link guide the user to a servlet or something like that which recognize that link, join it with the user, create a session object and redirect the user inside your app.

Hope this helps

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.