tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig Berry" <>
Subject RE: request for solution, form-based authentication and programmatic authentication, repost
Date Mon, 05 May 2003 18:31:18 GMT
I asked this question last month, and didn't get any useful advice.
It's easy for a servlet to create a "one time identity" good enough for
calling back to EJB resources, but there's no documented way (that I
could find) to hook that identity into Tomcat's session management so
that the identity persists across requests.  If anybody reading this
knows of such a way, I'd love to hear it.

Meanwhile, the horrible kludge I implemented to get around this works as

1. The special access-granting page (your first-time-login info
gathering page) collects the username and password as you describe, and
stores them to the DB.  It also puts them into the session.  It then
sends a redirect back to the browser, pointing into the protected part
of your application.

2. JAAS intercepts the redirected request from the browser, and
redirects to the login form page.

3. The login form processor checks the session for the login info
stashed in step 1 above.  If present, it generates javascript onto the
page which populates the username and password onto the form, and then
submits the form automatically.

One tricky part of this scheme involves figuring out when to remove the
login object from the session, since you don't want it hanging around
longer than needed (since it would prevent normal logins from the
current session).  

-----Original Message-----
From: jarla [] 
Sent: Monday, May 05, 2003 11:47 AM
Subject: request for solution, form-based authentication and
programmatic authentication, repost

I am developing a web application based on tomcat 4.0 and servlets. The
application utilizes the form-based authentication and JDBCRealm 

The authorization and authentication should work like this:

First-time users seeking access, submits a form containing requested 
user name, password and some personal information. This authorizes the 
user for later occations (sessions) and grants immediately access.  

User authorized on a prior occation (session) seeking access, submits a
login form. 

The latter function is handled by the form-based authentication 

I can not, however, see a solution for the first function. I.e how to
avoid that the first-time user submits a personal information form and
then submits a login form.

Is there any way to authenticate a user programmatically?
If not is there any other way at all?

In advance, thanks for any contributions,
Jarl Aanonsen

To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message