tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abraham Fathman" <>
Subject RE: Customising the logic behind Container Authentication (j_security_check)
Date Mon, 06 May 2002 04:30:26 GMT
j_security_check should work with all containers. Custom authentication
will work with all containers as long as you don't use any server
specific code (casting an object to a tomcat object...).

Like I said, I am doing custom auth and am quite happy with it.


-----Original Message-----
From: Joel Baker [] 
Sent: Sunday, May 05, 2002 11:07 PM
Subject: Re: Customising the logic behind Container Authentication


Thanks for that. Other than this apparent lack of flexibility, are there
problems with the j_security_check method? I presume/hope that it is
secure etc (when used through https). Upon reading the servlet spec PDF
I note that the j_security_check method is defined at this level and as
such should work in all containers. Is this the case? I hope I'm right
in assuming that custom authentication should work in all containers as

I will look into custom auth, but not just yet. My attitude towards this
current project is to get each section working before considering
implementing it at a release level. ;)

Cheers for your help,


""Abraham Fathman"" <> wrote in message
| Joel,
| I wouldn't use the Security in the spec - ie don't use 
| j_security_check servlet...
| Write your own authentication mechanism that will tie into this third 
| party. You can write a filter (as of servlet spec 2.3) that will 
| restrict access to certain url by first redirecting them to a logon 
| page.
| Does this make sense? I have written applications that do excatly what

| you are talking about so if it doesn't, respond with what I need to 
| expand on.
| Hope I can help!
| Abe
| -----Original Message-----
| From: Joel Baker []
| Sent: Saturday, May 04, 2002 11:55 PM
| To:
| Subject: Customising the logic behind Container Authentication
| (j_security_check)
| Hi there,
| The webapp I'm currently developing uses the j_security_check method 
| of authentication. That is, when authentication is required (ie: when 
| a client tries to access a restricted resource) the client gets 
| directed to the file specified in the <form-login-page> tag in my 
| web.xml file - in this case this file is login.jsp. This JSP presents 
| a form to the client whose action is j_security_check, an internal 
| Tomcat servlet (though it is more general than Tomcat, being in the 
| Servlet spec) that processes this response. When the user is 
| authenticated, based on her username and password, by the 
| j_security_check servlet she is returned to the resource she first 
| requested.
| However, I am needing to set further login tokens based on the 
| username and password given and am thus looking to somehow intercept 
| the j_security_check servlet - ideally without rewriting it. This is 
| because I am trying to create an authentication token for a third 
| party web application (and thus creating single sign on as the third 
| party web app doesn't use tomcat container authentication) at the same

| time as logging into the main site.
| If anyone has any ideas I would be, of course, very grateful.
| Joel Baker.
| --
| To unsubscribe:   <>
| For additional commands: <>
| Troubles with the list: <>

To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message