Issue
I have a authenticator valve defined in tomcat, So I have a servlet which is unprotected(doesn't comes under security constraint) will preprocess those request and forward it to a protected servlet. The forward will contain the necessary parameter to authenticate the user defined by valve. Will forwarding the request from one servlet to another will go through the valve?
Thanks in advance, I am new to developing so sorry if I specified any terms wrong :)
Also how does tomcat knows that this valve is defined for authentication?
Solution
No, all Valve
s are processed only once during the original request.
If you use one of the methods of RequestDispatcher
to transfer the request to another servlet (or JSP page) only the configured Filter
s are used. It is assumed that your servlet performs the necessary security checks before forwarding the request.
To perform the necessary checks in code you can use something like this:
// Forces authentication
// If the user was not authenticated, he will need to authenticate
// and resubmit the servlet request.
if (request.authenticate(response)) {
// Authorization
if (!request.isUserInRole("admin")) {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
// Otherwise forward
request.getRequestDispatcher("/protected/resource").forward(request, response);
}
You can perform these checks in your forwarding servlet or an appropriate HttpFilter
.
Answered By - Piotr P. Karwasz
Answer Checked By - Robin (JavaFixing Admin)