Hey all, I'm using Tomcat 6.0.14 and would like to know to implement a system that would allow us to send users a link say mysite.com?token=12345678912334333(long string continued) but that would allow the user to be logged in automatically.
Unless you have other reasons specific to Tomcat, or you are unable to modify your web application, then it might be easiest to use a custom filter to do the authentication (JAAS or otherwise). For example:
- http://www.kopz.org/public/documents/tomcat/jaasintomcat.html
- http://securityfilter.sourceforge.net/
With a custom filter, you could authenticate in whatever way you wanted to in a relatively straightforward way.
public void doFilter(ServletRequest request,
ServletResponse response,
FilterChain chain)
throws IOException, ServletException {
String token = request.getParameter("token");
if (token != null) {
doAuthentication(token);
}
chain.doFilter(request, wrapper);
}
You tagged with JAAS. That's different than just authenticating with a simple token, but if that's what you are looking for, are you familiar with Tomcat's JAASRealm? You would just have to write your own LoginModule to authenticate the token.
It probably goes without saying that using token based login via E-mail is inherently insecure, and so is not appropriate for all types of applications.
I guess you have to implement the logic by yourself, i.e. the link guide the user to a servlet or something like that which recognize that link, join it with the user, create a session object and redirect the user inside your app.
Hope this helps
来源:https://stackoverflow.com/questions/4832992/implementing-custom-authentication-with-tomcat