tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John de la Garza" <>
Subject RE: formbased security
Date Mon, 04 Dec 2000 19:44:40 GMT

You've been super helpful, just wanted to let you know I really appreciate
it and have got alot out of your quick responses!  I normally don't get
support this good, even we it is billed at $100 a question.

-----Original Message-----
From: Craig R. McClanahan []
Sent: Monday, December 04, 2000 11:04 AM
Subject: Re: formbased security

John de la Garza wrote:

> What I meant was how can I never have them see the tomcat login...I want
> validate the manually from my own code?
> I have a web based app that the user must log into...I want log the user
> to tomcat once they are logged into to application.
> What I meant about being asked twice was that they would be asked to login
> to my app...then asked once to log into tomcat's thing..

If you want the user to experience a single login, you need to choose one
approach or the other -- either have your application do it all, or have
do it all.

In the former case, your application would need to do it's own checking (on
every request) that the user is still logged in, and redirect them to the
page if needed.  You would not have an <security-constraint> or
entries in your web.xml file.

For Tomcat-managed security, you would install such directives, and set up
users and roles appropriately (by default in the "conf/tomcat-users.xml"
You can customize the look and feel of the login page if you choose
authentication.  See the servlet specification
<> for more information on

Craig McClanahan

View raw message