问题
Hey all, I'm using Tomcat 6.0.14 and would like to know to implement a system that would allow us to send users a link say mysite.com?token=12345678912334333(long string continued) but that would allow the user to be logged in automatically.
回答1:
Unless you have other reasons specific to Tomcat, or you are unable to modify your web application, then it might be easiest to use a custom filter to do the authentication (JAAS or otherwise). For example:
- http://www.kopz.org/public/documents/tomcat/jaasintomcat.html
- http://securityfilter.sourceforge.net/
With a custom filter, you could authenticate in whatever way you wanted to in a relatively straightforward way.
public void doFilter(ServletRequest request,
ServletResponse response,
FilterChain chain)
throws IOException, ServletException {
String token = request.getParameter("token");
if (token != null) {
doAuthentication(token);
}
chain.doFilter(request, wrapper);
}
You tagged with JAAS. That's different than just authenticating with a simple token, but if that's what you are looking for, are you familiar with Tomcat's JAASRealm? You would just have to write your own LoginModule to authenticate the token.
- http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JAASRealm
It probably goes without saying that using token based login via E-mail is inherently insecure, and so is not appropriate for all types of applications.
回答2:
I guess you have to implement the logic by yourself, i.e. the link guide the user to a servlet or something like that which recognize that link, join it with the user, create a session object and redirect the user inside your app.
Hope this helps
来源:https://stackoverflow.com/questions/4832992/implementing-custom-authentication-with-tomcat