tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Problems with Tomcat4 Security Design
Date Fri, 25 Oct 2002 23:42:21 GMT

On Fri, 25 Oct 2002, vsajip ( wrote:

> Date: Fri, 25 Oct 2002 23:06:29 +0100
> From: "vsajip (" <>
> Reply-To: Tomcat Users List <>
> To:
> Subject: Problems with Tomcat4 Security Design
> I'm having problems using the Tomcat 4 security design for a slightly
> customised requirement. I've created a custom realm for an external
> information provider which, when I authenticate a user, gives me a token (in
> the form of an essentially opaque object). This token needs to be passed
> back to the external provider when accessing data protected by that
> realm/external provider. I also need to enable single sign-on for a whole
> virtual host.
> I've got almost everything working correctly - my custom realm authenticates
> correctly, and SSO with it works. However, I can't do anything useful with
> the external information provider, since the current design provides no way
> to put the token object from the realm into a request, where it could be
> accessed by a servlet, JSP etc. This is because the realm has no access to
> the request - you need an authenticator for that. I tried subclassing
> FormAuthenticator, but it's of no use - an authenticator has to be placed
> into a context, and can't be placed into a host! So to achieve SSO, I have
> to add the authenticator as a valve into every Context. I'd rather not do
> this unless it's unavoidable - and anyway, what would be the way of getting
> the token out of the realm into the authenticator? Can anyone suggest a
> clean alternative way of getting things to work in the scenario I've
> described?
> Also, why is it necessary to have getPassword(String username) and
> getPrincipal(String username) in every Realm, especially as they all return
> null except for the versions in MemoryRealm?
> The idea of orthogonal realm and authenticator is nice in theory, but it
> seems that what I need is something like an Authenticator and Realm rolled
> into one. I'd appreciate any comments from those of you with experience in
> this area. (This is my first post to the list, so please be patient if I
> have missed something simple. I have searched the mailing-list archive for
> similar problems and found no joy.)

Sounds like you really should write a custom Authenticator that doesn't
use the standard Realm back end.  Nothing requires you to do that -- and,
since you'd need a custom Realm anyway, you might as well just combine
everything into a single class.

By the way, Tomcat has standard support for single sign on.  The actual
implementation of this won't help you, but the design addresses one of
your concerns.  You embed the <Valve> element that implements this in the
<Host> element, instead of in the <Context> element -- then, it is
automatically applied to all requests for all webapps installed on that
virtual host.  That way, you don't have to manage a non-default
configuration for every single webapp.

You might want to see if something similar helps you with your custom SSO
authenticator (which is really a Valve under the covers).

> Thanks,
> Vinay Sajip


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message