Package wt.httpgw.filter

Class TrustedAuthFilter

java.lang.Object

wt.httpgw.filter.AbstractRemoteUserFilter

wt.httpgw.filter.TrustedAuthFilter

All Implemented Interfaces:

javax.servlet.Filter

public final class TrustedAuthFilter
extends AbstractRemoteUserFilter

This filter allows trusted clients to set an effective user id for requests without authenticating as this user. For instance, a trusted server may need to obtain data based on any given user's access without having access to all users' credentials.

Trust is established based on client host or client certificate. Trusted hosts are specified in the wt.auth.trustedHosts entry in wt.properties as a whitespace and/or comma delimited list. The localhost of the server is also trusted unless the localHostIsTrusted init parameter is specified with a value of "false". Trusted client certificates can be specified via trustedSubject.* and/or trustedSubjectPattern.* init parameters to the filter for exact and regular expression pattern matches of certificate subjects, respectively. Host-based trust can be disabled by specifying the trustTrustedHosts init parameter with a value of "false". Alternatively, one can require that requests have a client certificate with a trusted subject and come from a trusted host by specifying the requireTrustedHostAndCert init parameter with a value of "true".

The requested user id is specified by the wt.effectiveUid request parameter. If the client handles cookies, then this only needs to be specified on the initial request as subsequent requests will provide this via a cookie of the same name.

If wt.effectiveUid is specified, but the client is untrusted, then the request will be rejected.

Supported API: true
Extendable: false

Method Summary

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait