tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emir Alikadic (ADNOC IS&T)" <>
Subject RE: Programmatic security with servlet mappings in tomcat
Date Tue, 03 Jul 2001 08:59:47 GMT
I wrote my own custom authentication scheme for exactly the same reasons.  I
hope Tomcat will soon add forms based authentication so I can remove this
(unnecessary) level of complexity from my applications.


-----Original Message-----
From: Hughes, Tim []
Sent: Tuesday, July 03, 2001 12:50 PM
To: ''
Subject: RE: Programmatic security with servlet mappings in tomcat

I did not want to use the container's authentication mechanism for several

1. I can't store passwords and usernames in a database.
2. I get more control over the login process e.g. I can give different login
error message depending on the source of the login failiure (wrong password,
wrong username, etc ...) + I can log these login failiures (useful since
they may help in detecting "breakins").
3. I read in Wrox Professional Java Server Programming that "as of writing
this chapter, Tomcat (Version 3.1) does not completely support form-based
authentication. Although Tomcat includes an experimentation version of
form-based authentication, this is not suitable for demonstration purposes".

Tim Hughes

-----Original Message-----
From: Antony Bowesman []
Sent: 3. juli 2001 10:32
Subject: Re: Programmatic security with servlet mappings in tomcat


pete wrote:
> Tim,
> there are several ways to implement this kind of security check. If you
> want a fullblown MVC model, you might consider looking at Struts or one
> of the other Apache-driven frameworks (Struts is the only one i have
> personal experience with).
> with the example you give, i don't understand the need for a
> 'controller' jsp in this context.
> The way i handle security in one of my apps is that i have a method in a
> session-bean (public void isAuthenticated()) that checks the user has a
> valid login, so all my jsps (except login.jsp) are wrapped in a
> statement like
> <jsp:useBean id="Authentication" scope="session"
> class="com.mycompany.authentication"></jsp:useBean>
> <%if (Authentication.isAuthenticated())
> {%>
> .... rest of JSP goes here
> <%}
> else
> {
> response.sendRedirect("./login.jsp");
> }
> %>
> If a valid session key is already assigned, the method returns true. If
> username and password are supplied in request scope, isAuthenticated
> does a lookup to our authentication database, and if successful, sets a
> valid session key, and returns true.
> If neither of these are true, isAuthenticated sets a 'you are not
> authenticated' message to be displayed by login.jsp,  returns false, and
> the user is redirected back to login.jsp

Interesting that you don't use the container's authentication mechanism
to protect pages.  What if someone writes an app that doesn't protect
the page.  Any reason why you chose this route?


This message contains information that may be privileged or confidential and
is the property of the Cap Gemini Ernst & Young Group. It is intended only
for the person to whom it is addressed. If you are not the intended
recipient, you are not authorized to read, print, retain, copy, disseminate,
distribute, or use this message or any part thereof. If you receive this
message in error, please notify the sender immediately and delete all copies
of this message.

View raw message