tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Johann Uhrmann <>
Subject API for user authentication
Date Sun, 10 Nov 2002 10:57:22 GMT

as far as I know, there is only one possible way to use form based
authentication with Tomcat:

- sending a request to a restricted site
- getting the login form instead
- logging in and getting the restricted site

However, the following scenario seems more common in web applications:

- having a welcome page that offers a user name and
  password field
- after submitting that form the user gets the index page
  of the web application

It seems to me that there is no way to provide the second scenario with
tomcat. Therefore, I ask You whether there is an API call that can
verify a username/password combination and create a user session.

That kind of api call would be handy in the second scenario as the index
page could easily check the given user/pass and send a redirect to the
error page if it was wrong or show up the index page if the login

I know that this kind of functionality could be simulated by
implementing a proprietary login mechanism. However, that would mean to
throw away the security-constraint mechanisms (web.xml), the built-in
user verification (jdbc-realm, ldap,...) and would require every site to
check whether the user is logged in or not.

If there is no API call to verify user/password then please treat this
message as a feature request.

Thank You very much,

Johann Uhrmann

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message