tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: FORM-based authentication
Date Tue, 05 Sep 2000 17:08:57 GMT
Johan Peeters wrote:

> I experimented with (from web.xml)
>  <!-- Security configuration -->
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Protected Area</web-resource-name>
>       <url-pattern>*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>        <role-name>operator</role-name>
>     </auth-constraint>
>   </security-constraint>
>   <!-- Login configuration uses FORM authentication -->
>  <login-config>
>     <auth-method>FORM</auth-method>
>     <form-login-config>
>       <form-login-page>/logon.jsp</form-login-page>
>        <form-error-page>/accessRefused.jsp</form-error-page>
>     </form-login-config>
>     <realm-name>Payment Server Management</realm-name>
>   </login-config>
> with Tomcat 3.2b3. But, no dice - the logon page is not served. Do I
> take it that Form-based authentication has not been implemented yet?

As Nacho points out, the example application includes a working case of
form-based login with Tomcat 3.2.  However, I believe there's a problem in
the current code (but haven't had time to verify this) -- I think the login
page itself needs to be *outside* of the protected area for form-based login
to work.

> I gathered from a mail from Craig McClanahan in the Struts mailing list
> that Catalina had implemented it. What is the relationship between
> Catalina and Tomcat? When can an implementation of form-based
> authentication be expected in Tomcat?

Catalina is the code base that will be the servlet container for Tomcat
4.0.  You can get nightly distributions of the code (current quality state
is pre-alpha, but it's functionally pretty complete, and includes initial
implementation of some servlet 2.3 / JSP 1.2 additions already) at:

and source distributions at:

My personal goal is to have a complete, beta-quality, distribution of Tomcat
4.0 ready in time for ApacheCon Europe in London (October 23-26)

> I am particularly interested in form-based authentication because of the
> claim that authentication would be session-based. Am I right in thinking
> that the servlet spec leaves it open whether authentication would be
> session-based or not?  I.e. a downside of relying on form-based
> authentication's session-based nature would be that this behaviour would
> not necessarily be guaranteed on other servlet containers?
> Is the servlet spec's form-based authentication mapped to http
> authentication, as the BASIC authentication is, or is the authentication
> mechanism servlet container-specific?

Catalina's current form-based login support is indeed session based.  In
other words, if your session expires, you will be required to
re-authenticate.  Although not stated explicitly, this is the behavior I
believe that the specification is expecting.

Form-based authentication *cannot* be mapped to HTTP BASIC -- if you want to
use BASIC, ask for that instead (by setting the <auth-method> element of
<login-config>).  BASIC authentication is *not* session based -- it's up to
the browser to decide whether and when to send credentials once the user has
authenticated the first time (and thus not under the servlet container's
control).  Most (all?) current browsers seem to remember BASIC
authentication credentials for a particular web app until you restart them.

> A whole lot of questions - I would be glad to even only have some
> answered. Maybe I should ask some of them on a mailing list on the
> servlet specs...
> Many Thanks,
> Yo

Craig McClanahan

See you at ApacheCon Europe <>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat

View raw message