Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 61972 invoked from network); 11 Nov 2002 08:05:35 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 11 Nov 2002 08:05:35 -0000 Received: (qmail 6474 invoked by uid 97); 11 Nov 2002 08:06:35 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 6410 invoked by uid 97); 11 Nov 2002 08:06:34 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 6398 invoked by uid 98); 11 Nov 2002 08:06:33 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) Message-ID: <00b201c2895a$18ec5a80$d2b32b04@dslverizon.net> From: "Bill Barker" To: "Tomcat Developers List" References: <1036925842.1022.11.camel@deepblue> Subject: Re: API for user authentication Date: Mon, 11 Nov 2002 00:12:36 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Archived: msg.XXQfyOIa@sneezy X-Scanned-By: MIMEDefang 2.11 (www dot roaringpenguin dot com slash mimedefang) X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N It will bind you forever to a particular Tomcat version, but the following should work: The authenticating Servlet can't be protected, so that servlet saves off the Principal as a special session variable. You then write a (Context level) Valve & Realm. The Valve looks for the special session varaible, and if found, calls setUserPrincipal on the HttpRequest with the value. Now, the FormAuthenticator will say that you are already authenticated. The Realm can then check against any required roles to allow you access to your protected pages. ----- Original Message ----- From: "Johann Uhrmann" To: Sent: Sunday, November 10, 2002 2:57 AM Subject: API for user authentication > Hi, > > as far as I know, there is only one possible way to use form based > authentication with Tomcat: > > - sending a request to a restricted site > - getting the login form instead > - logging in and getting the restricted site > > > However, the following scenario seems more common in web applications: > > - having a welcome page that offers a user name and > password field > - after submitting that form the user gets the index page > of the web application > > It seems to me that there is no way to provide the second scenario with > tomcat. Therefore, I ask You whether there is an API call that can > verify a username/password combination and create a user session. > > That kind of api call would be handy in the second scenario as the index > page could easily check the given user/pass and send a redirect to the > error page if it was wrong or show up the index page if the login > succeeded. > > I know that this kind of functionality could be simulated by > implementing a proprietary login mechanism. However, that would mean to > throw away the security-constraint mechanisms (web.xml), the built-in > user verification (jdbc-realm, ldap,...) and would require every site to > check whether the user is logged in or not. > > If there is no API call to verify user/password then please treat this > message as a feature request. > > > Thank You very much, > > Johann Uhrmann > > > > > -- > To unsubscribe, e-mail: > For additional commands, e-mail: > -- To unsubscribe, e-mail: For additional commands, e-mail: