tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: formbased security
Date Mon, 04 Dec 2000 19:03:33 GMT
John de la Garza wrote:

> What I meant was how can I never have them see the tomcat login...I want to
> validate the manually from my own code?
> I have a web based app that the user must log into...I want log the user in
> to tomcat once they are logged into to application.
> What I meant about being asked twice was that they would be asked to login
> to my app...then asked once to log into tomcat's thing..

If you want the user to experience a single login, you need to choose one
approach or the other -- either have your application do it all, or have Tomcat
do it all.

In the former case, your application would need to do it's own checking (on
every request) that the user is still logged in, and redirect them to the login
page if needed.  You would not have an <security-constraint> or <login-config>
entries in your web.xml file.

For Tomcat-managed security, you would install such directives, and set up your
users and roles appropriately (by default in the "conf/tomcat-users.xml" file).
You can customize the look and feel of the login page if you choose form-based
authentication.  See the servlet specification
<> for more information on

Craig McClanahan

View raw message