tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antony Bowesman <>
Subject Re: Getting HttpRequest inside Realm/Tomcat 4
Date Thu, 25 Oct 2001 11:12:36 GMT
Hi Craig,

Thanks for your comments again.

> You're right ... there is nothing there to do this.  The original
> design was based on the idea that Realm simply encapsulates a
> service that authenticates a user, given a username and some
> credentials.  In addition, it needs to work even when HTTP sessions
> are not in use (for example, for BASIC authentication).
> One strategy for dealing with this might be to register a session
> event listener and registers your session in the sessionCreated()
> event handler.

I like the realm and general design in TC4, it's much better and cleaner
than 3.2.  However, I think there is something missing in the realm
interface authenticate methods, particulary for form login:-

If you modify a login form to include a field other than j_username and
j_password so the user can select some kind of 'post login preferences'
it is not possible to get this extra field to the realm.

We use JAAS for authentication.  JAAS allows  and one of the login
modules authenticates against our EJB user repository and loads user
preferences (groups/roles etc) and one feature the user can select is
their preferred role set for the session.

I don't think the event listener will work for our use, following login,
so it seems the following is how I can achieve what I want.

Replace the org.apache.catalina.authenticator.FormAuthenticator with my
own FormAuthenticator class by modifying the
and extend the realm interface to pass either a map of http request
parameters, or in fact the http request itself.  My realm can do what it

What about passing the Request object as a parameter to the Realm
interface authenticate() methods for 4.1 release.

And how about having only a JAAS realm in standard tomcat and just
provide different login modules for jdbc/jndi/other access.

JAAS would of course tie Tomcat to JDK1.3+, is there a minimum for
Tomcat 4?

BTW, I saw you offered your BOF slides to someone, are they available?


View raw message