tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dunkle, Ed" <>
Subject RE: protecting all resources
Date Wed, 03 May 2000 15:34:43 GMT
What would be nice is if you could configure a servlet container to use your
own custom class that accepted a principal and credentials in a validate()
method and returned a boolean.  Then we could implement our own logic for
the validation but rely on the container to protect resources.

Since it doesn't appear to work that way, I am trying to figure out how to
do this myself.  In Tomcat, I can extend the DefaultServlet with a session
object check before delegating to super.doGet().  And I have a LoginServlet,
invoked from a custom form, that authenticates and creates the session
object.  Is there a better way to do this?  Extending DefaultServlet is not
a portable solution.


-----Original Message-----
From: Craig McClanahan []
Sent: Tuesday, May 02, 2000 7:21 PM
Subject: Re: protecting all resources

"Dunkle, Ed" wrote:

> Admittedly, I have not finished reading the JSDK 2.2 spec yet, but I'm
> working on it.  But, before I spend a lot of time on this, I was hoping
> someone could give me a clue.
> I am using form-based custom authorization.  So we have our own HTML form
> that posts to a servlet that then validates the credentials.  That's fine
> for a login, but I am wanting to ensure that the login has been successful
> before serving up any other files, mainly HTML and JSPs.

The idea in the spec is that you should be able to delegate all this stuff
the servlet container, instead of building it into your application -- the
same way that you can delegate authentication to a web server for password
protected directories.

> I am thinking that I need to write a custom "file" servlet that would
> check for a valid login before allowing the file to be sent.  IF there is
> another way to do this, please let me know!

If you wanted to protect an entire web application (requiring a valid
username/password), rather than just part of it, you might do something like
this in your web.xml file:

            <web-resource-name>Entire Application</web-resource-name>

        <realm-name>My Password-Protected Web Application</realm-name>

This way, you don't have to write anything inside your application itself to
enforce security.

A couple of notes if you want to try this with Tomcat 3.1:

* Unfortunately, Tomcat 3.1 does not support form-based security as
  in the specification yet.  You might try changing the authentication
  BASIC instead, to trigger the browser pop-up dialog box for logging in.
  that this is not secure over the Internet).

* By default, Tomcat will load its list of valid users from a file named
  under the Tomcat home directory.

* It is also possible to write a custom implementation of security checking
that you
  can process users and passwords in whatever database or directory server
  have them in -- this is somewhat more work but it's certainly feasible.

> Thanks,
> Ed

Craig McClanahan

To unsubscribe, email:
For additional commmands, email:

View raw message