tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig Berry" <>
Subject RE: Realm
Date Mon, 26 May 2003 02:34:28 GMT
The trick is to set up your web.xml and login-config.xml to protect the servlets which should
require login.  Then the configured authentication mechanism (basic, form, whatever) will
automatically intercept non-logged-in user access, do the login, and put the authenticated
Principal information into the request where your servlet can get it using the method I mentioned.
Once you have that user name, your servlet can use it to look up whatever other information
is needed and put it in the session (or whatever).  Using a servlet filter for this purpose
is often even better; that way you can have all your login post-processing logic in one place
for many different protected resources.

	-----Original Message----- 
	From: Paul Hsu [] 
	Sent: Sun 5/25/2003 10:42 AM 
	To: Tomcat Users List 
	Subject: Re: Realm

	Thank you for your help.
	You are correct I don't need to grab the password. You mean I just need to
	write a servlet and catch the user name from request and get all user
	information and save them in session. But how can I ask Realm to call my
	servlet after Tomcat do the authentication. I like to do same thing as website do. This web site can pull your account information
	after you log in.
	----- Original Message -----
	From: "Craig Berry" <>
	To: "Tomcat Users List" <>;
	Sent: Saturday, May 24, 2003 9:53 PM
	Subject: RE: Realm
	> The username can be obtained using the HttpServletRequest.getUserPrincipal
	method (see
	etRequest.html).  See the Principal doc on how to get the username string
	from the returned Principal object.
	> In general, if you're going to use JAAS authentication, it's wise to
	design your app so that it doesn't need to know the logged-in user's
	password.  None of the standard authenticators put it anywhere conveniently
	accessible, and for good reason; the less code involved in handling
	passwords, the fewer places there are for a security exploit to grab it.  If
	you really need to get the password to your own code, you'll need to write a
	custom JAAS authenticator that does what you need.
	> -----Original Message-----
	> From: Paul Hsu []
	> Sent: Sat 5/24/2003 9:39 PM
	> To:
	> Cc:
	> Subject: Realm
	> Hi,
	> I am using Tomcat Realm to authenticate user to access web site. I have
	one question is how can I catch the user name/password after tomcat server
	authenticate user (Tomcat will pop up a authenticate screen)? Any help would
	be appreciated.
	> Paul
	To unsubscribe, e-mail:
	For additional commands, e-mail:

View raw message