Issues with Play and a Filter

212 views
Skip to first unread message

damian

unread,
Sep 26, 2010, 8:38:13 PM9/26/10
to play-framework
I have a requirement to implement a Filter for SSO (NTLM). I've wedged
a Jespa based filter into the exported App (via WAR command) but face
a couple of issues:

1. Tomcat cannot find the filter named in the web.xml (ClassNotFound).
The obvious way around this is to export the Filter as a JAR and put
it in WEB-INF/lib. Is there a better solution that would allow web.xml
to find it in the Play classpath? How does the ServletWrapper find the
Play code?

2. How to communicate between the Filter and Play Secure Module: The
Secure module works off a "username" session value. What is the best
way to populate this from the Filter? Session variables are not copied
across by the ServletWrapper.

Thanks,

Damian.

damian

unread,
Sep 26, 2010, 9:21:45 PM9/26/10
to play-framework
Regarding #2: I have tried setting the username in a ThreadLocal
however it is coming through to Secure.checkAccess() as null:

In the Filter :
SingleSignOnThreadLocal.set(username);

In Secure checkAccess() :
String username = SingleSignOnThreadLocal.get();

Where the ThreadLocal is:
public class SingleSignOnThreadLocal {
private static ThreadLocal userLocal = new ThreadLocal();

public static void set(String username) {
userLocal.set(username);
}

public static String get() {
return (String) userLocal.get();
}
}

Am I missing something?

Thanks.

Lawrence McAlpin

unread,
Sep 26, 2010, 10:44:17 PM9/26/10
to play-framework
Play! isn't a servlet based framework so there really is no Play!-
appropriate way
to do what you want.

Do you have access to the source code in the filter? You could write
a Play!
plugin that runs the filter code before every HTTP request (override
the
rawInvocation() method).

damian

unread,
Sep 26, 2010, 11:44:05 PM9/26/10
to play-framework
I realise that Play isn't servlet based, however when exporting to a
WAR file you have access to the servlet container in the App server
that you deploy to. For me this allows the rapid development afforded
by Play with the integration needed in Enterprise environments.

The code (NTLM) is complex and unsupported when run outside of a
filter. I feel that I'm so close to getting it working - all that is
really missing is passing the retrieved username to Play.

Thanks.

Guillaume Bort

unread,
Sep 27, 2010, 4:05:53 AM9/27/10
to play-fr...@googlegroups.com
Can you feed an HTTP header from the ServletFilter?

> --
> You received this message because you are subscribed to the Google Groups "play-framework" group.
> To post to this group, send email to play-fr...@googlegroups.com.
> To unsubscribe from this group, send email to play-framewor...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/play-framework?hl=en.
>
>

--
Guillaume Bort, http://guillaume.bort.fr

For anything work-related, use g...@zenexity.fr; for everything else,
write guillau...@gmail.com

damian

unread,
Sep 27, 2010, 7:18:13 PM9/27/10
to play-framework
That's how I ended up doing it. I extended HttpServletRequestWrapper
and added the username from the Jespa Filter.

It's working well.

For my own curiosity how would I achieve the same with ThreadLocal?
> Guillaume Bort,http://guillaume.bort.fr
>
> For anything work-related, use g...@zenexity.fr; for everything else,
> write guillaume.b...@gmail.com

Bing Ran

unread,
Sep 27, 2010, 9:20:47 PM9/27/10
to play-fr...@googlegroups.com
Receiving the request and invoking the action are not done on one thread.
There is an ExecutorService sitting in between.


--------------------------------------------------
From: "damian" <damian...@gmail.com>
Sent: Tuesday, September 28, 2010 7:18 AM
To: "play-framework" <play-fr...@googlegroups.com>
Subject: [play-framework] Re: Issues with Play and a Filter

damian

unread,
Sep 28, 2010, 2:32:54 AM9/28/10
to play-framework
Ok. Thanks Bing.

I had heard of others using this. Perhaps they had a different
approach?



On Sep 28, 11:20 am, "Bing Ran" <bing....@gmail.com> wrote:
> Receiving the request and invoking the action are not done on one thread.
> There is an ExecutorService sitting in between.
>
> --------------------------------------------------
> From: "damian" <damianhar...@gmail.com>

Bing Ran

unread,
Sep 28, 2010, 2:50:08 AM9/28/10
to play-fr...@googlegroups.com
The PlayPlugin class offer lots of plug-in points, some of them on the same
thread as the action invocation, others not.

--------------------------------------------------
From: "damian" <damian...@gmail.com>
Sent: Tuesday, September 28, 2010 2:32 PM

Bing Ran

unread,
Sep 28, 2010, 3:57:09 AM9/28/10
to play-fr...@googlegroups.com
I might have been wrong about the threading model. Since you were using
servlet, the servlet thread and the action invocation thread seems to be the
same thread, in contrast to the way the Netty http stack is used.

--------------------------------------------------
From: "damian" <damian...@gmail.com>
Sent: Tuesday, September 28, 2010 2:32 PM

Sim51

unread,
Sep 28, 2010, 7:05:53 AM9/28/10
to play-framework
For information, there is a play module for CAS authentification, and
a NTML handler for CAS.
So you can easly do this ... and a lot of web application are CAS
compliante (it's not the case for NTML).

On 28 sep, 09:57, "Bing Ran" <bing....@gmail.com> wrote:
> I might have been wrong about the threading model. Since you were using
> servlet, the servlet thread and the action invocation thread seems to be the
> same thread, in contrast to the way the Netty http stack is used.
>
> --------------------------------------------------

Guillaume Bort

unread,
Sep 28, 2010, 8:26:59 AM9/28/10
to play-fr...@googlegroups.com
I think that sharing the data via HTTP header is teh best way. But if
you want to share Java objects between your play application and your
servlet filter, just remember that the play code can see the servlet
code, but the reverse is not true.

> For more options, visit this group at http://groups.google.com/group/play-framework?hl=en.
>
>

--
Guillaume Bort, http://guillaume.bort.fr

For anything work-related, use g...@zenexity.fr; for everything else,

write guillau...@gmail.com

damian

unread,
Sep 28, 2010, 7:24:53 PM9/28/10
to play-framework
Thanks for the tip. Good to know.

My SSO against Active Directory is working well. I highly recommend
Jespa and it's suprisingly easy (in the end) to get it working with
Play once deployed as a WAR.

D.
Reply all
Reply to author
Forward
0 new messages