tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Milind Nirgun <>
Subject Re: Custom Authentification
Date Wed, 22 May 2002 20:13:00 GMT
Have you looked into JAAS ? Perhaps using that API, it may be possible to 
plugin your own authentication module. 

On Monday 20 May 2002 06:47 pm, you wrote:
> Perhaps I should be more clear about what I am trying to accomplish (and 
> spell authentication correctly)
> I had originally created my own login/authenfication application.  It 
> allowed users to create profiles with a user name, password, a password 
> hint, and email addr.  Logged-in users are marked by a Principal object 
> (com.something.Principal) in their session.  The key reasons I had 
> originally gone in this direction were:
> -To be able to give 'hints' and informative error messages to users who had 
> forgotten their passwords
> -I wanted to be able to add my own functionality for handling auto-logins 
> via persistent cookies
> -I wanted users who created a new profile to be logged-in as a result 
> (rather then be forced to login after creating their new profile).
> To work with security constraints, I created a small tag library for JSPs 
> that simply forwards requests to the login page if the user does not have 
> sufficient privileges.  A bit of a compromise since I can't define security 
> constraints in the web.xml, but it works rather easily.
> Everything was great until we decided we wanted to add a web forum - 
> Jive.  Jive, like thousands of other web apps, assumes that permissions are 
> handled via request.isUserInRole() and related methods.
> Of course, I'm not surprised that Jive doesn't use *my* authentication 
> system, but I was hoping that there was enough variation in authentication 
> strategies that largish applications would have a single point to allow 
> users to plug-in their own strategies.  So, if I can't easily modify Jive 
> to fit my current strategy, I'll have to modify my strategy to work within 
> or on top of the Servlet API authentication system.
> I've looked at sub-classing some of the Tomcat classes, but it looks like 
> some of the key ones are final - which leads me to think I still may be on 
> the wrong track.
> Any ideas?
> At 01:39 PM 5/20/2002, you wrote:
> >I am trying to create a custom login / authentification system with the 
> >following requirements:
> >
> >-Tracks more info then just user name, password, and roles (ie email 
> >-Allow new users to fill in a new user form (with the extra info) and be 
> >logged in after successfully completing the form
> >-Make the extra info available to Servlets & JSPs via a session object
> >-Maintain compatibility with the Servlet API for authentification, namely 
> >that request.isUserInRole(), request.getPrincipal(), web-app defined 
> >security constrains work as expected
> >
> >Every solution I come up with seems to cross one of these lines.  I would 
> >appreciate any ideas you might have.
> >
> >Thanks,
> >
> >Eric Everman
> >
> >
> >--
> >To unsubscribe, e-mail:   
> >For additional commands, e-mail: 
> --
> To unsubscribe, e-mail:   
> For additional commands, e-mail: 

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message