Package wt.httpgw.filter

Class AbstractRemoteUserFilter

java.lang.Object

wt.httpgw.filter.AbstractRemoteUserFilter

All Implemented Interfaces:

javax.servlet.Filter

Direct Known Subclasses:

TrustedAuthFilter

public abstract class AbstractRemoteUserFilter
extends Object
implements javax.servlet.Filter

Abstract Filter implementation that wraps the incoming servlet request to return a desired user from HttpServletRequest.getRemoteUser() and HttpServletRequest.getUserPrincipal() in place of that returned by the original request. The desired user is specified by subclasses by implementing getRemoteUser(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse).

Such a filter subclass may be used to used to derive a remote user from a header or cookie and then assert this as the remote user return by the HttpServletRequest API and thus that used by Windchill.

This class is provided as a convenience so customizers do not have to bother with the implementation details that are common to all such filters.

Supported API: true
Extendable: true

Method Summary

Modifier and Type	Method	Description
void	destroy()
protected abstract String	getRemoteUser(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)	Implemented by subclasses to return the desired user for a request.
void	init(javax.servlet.FilterConfig filterConfig)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

getRemoteUser

protected abstract String getRemoteUser(javax.servlet.http.HttpServletRequest request,
 javax.servlet.http.HttpServletResponse response)
                                 throws IOException,
javax.servlet.ServletException

Implemented by subclasses to return the desired user for a request. How this derived is determined by and specific to the subclass, but is generally based on the request. Implementations may signal error conditions by throwing exceptions or by sending errors on the response object as appropriate.

Note: One should be extremely careful to ensure that the implementation of this method and one's overall server configuration do not open up a security vulnerability. If, for instance, this method obtains the user id from a request header and simply trusts that header, then one must carefully configure one's servers to ensure that there is no way this header can be provided by anything other than a trusted server (e.g. that any such headers provided by malicious clients are discarded).

Supported API: true

Parameters:

request - Incoming servlet request

response - Outgoing servlet response

Returns:

Remote user desired for this request

Throws:

IOException

javax.servlet.ServletException

init

public void init(javax.servlet.FilterConfig filterConfig)
          throws javax.servlet.ServletException

Those overriding this method in a subclass must be sure to call super.init() in that override.

Supported API: true

Specified by:

init in interface javax.servlet.Filter

Throws:

javax.servlet.ServletException

destroy

public void destroy()

Those overriding this method in a subclass must be sure to call super.destroy() in that override.

Supported API: true

Specified by:

destroy in interface javax.servlet.Filter