发表新帖
发表新帖

Setting Authentication Header in Servlet via Filter

后端 未结
关注
2 1247
有刺的猬
有刺的猬 2021-02-04 12:07

Preface

This is my first attempt at a Filter, be gentle.

Project Description

I am trying to finalize a build for a SSO

相关标签:
2条回答
  • 你的背包
    2021-02-04 12:33

    First, the most basic question (kind of an "is this plugged in" question), I assume that your cookies are all rooted in the same domain, and that you're not trying to get cross domain behavior here. Because cookies won't do that.

    Beyond the cookie test, this looks fine. But it all hinges on the cookie test.

    If you want to test the Authorization header, then you can simply short circuit the cookie test (i.e. it always passes) and populate the Authorization header with some valid value. This will, in the short term, test your whole Authorization scheme.

    Once that's done/fixed, then you can focus on the cookie setting and delivery.

    I also assume that you're not using Java EE Container based authentication, with Tomcat doing this check for you. In that case, a filter is simply "too late". The container will have already made it's decisions before your filter even gets called.

    If you are using container based authentication, and your apps are on the same container, I would imagine Tomcat (or someone) has an SSO option at the container level. I know that Glassfish will do this for you out of the box. It should be straightforward to modify Tomcat artifacts (i.e. not portable Java EE/Servlet mechanisms) to implement this if that is the case.

    0 讨论(0)
  • 感动是毒
    2021-02-04 12:48

    I'm adding a new answer, since it's completely different.

    I did a test on my system. I copied your code, dumped the cookie test, and wrote a simple Servlet to dump things out for me.

    And it worked fine, save for one caveat.

    I don't know how your app is using this. But your ServletRequestWrapper implements getHeaderNames, and getHeader, but it does NOT implement getHeaders. I ran in to that problem as I used getHeaders to try and dump the request, and, of course, Authorization was missing.

    So, you may want to look at your code closer to see if it is indeed not using getHeaders. If it is, it will "work fine", but completely skip the work you've done, and thus miss your Authorization header.

    Here's my implementation, and it worked for me.

        @Override
    public Enumeration getHeaders(String name) {
        Enumeration e = super.getHeaders(name);
        if (e != null && e.hasMoreElements()) {
            return e;
        } else {
            List l = new ArrayList();
            if (headerMap.get(name) != null) {
                l.add(headerMap.get(name));
            }
            return Collections.enumeration(l);
        }
    }
    0 讨论(0)
 看不清?
提交回复
热议问题