tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: protecting all resources
Date Wed, 03 May 2000 17:01:08 GMT
"Dunkle, Ed" wrote:

> What would be nice is if you could configure a servlet container to use your
> own custom class that accepted a principal and credentials in a validate()
> method and returned a boolean.  Then we could implement our own logic for
> the validation but rely on the container to protect resources.

You can do that, but the mechanism will be specific to each servlet container.

For Tomcat 3.1, you would extend the SecurityCheck class, replacing the
"MemoryRealm" logic at the bottom that accesses the conf/tomcat-users.xml file
with your own.  For the Catalina architecture (see directory
"proposals/catalina" in the Tomcat source repository), you would implement your
own Realm.

> Since it doesn't appear to work that way, I am trying to figure out how to
> do this myself.  In Tomcat, I can extend the DefaultServlet with a session
> object check before delegating to super.doGet().  And I have a LoginServlet,
> invoked from a custom form, that authenticates and creates the session
> object.  Is there a better way to do this?  Extending DefaultServlet is not
> a portable solution.

There aren't any totally portable solutions because there is no standardized
interface between a servlet container and a security realm.  This is something
that may get addressed in a future version of the API -- for now, every 2.2
container should document how you install your own custom security mechanisms.

> Thanks,
> Ed


View raw message