tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Malcolm Warren <>
Subject Re: How does Tomcat manage Form-based authentication?
Date Fri, 02 Apr 2004 08:12:26 GMT
Thank you for your answer. Sorry about the new thread for new topic 
business - I hadn't understood the thread mechanism.
I presume for this topic I'd better continue as we are and I'll get it 
right next time.

I was wondering exactly how the servlet container knows whether the user 
has already authenticated or not.
With BASIC authorization an "Authorization" header is sent and based on 
that the programmes know whether to re-present the sign in or not.

I'm using an old nuts and bolts programme that actually programmatically 
sent the "Authorization" header string for BASIC authorization, and I'd 
like to continue using this programme, but I have to tell the new FORM 
version that I've already signed in, and I don't know how.

On Thu, 1 Apr 2004 09:10:18 -0600, QM <> wrote:

> On Thu, Apr 01, 2004 at 04:38:49PM +0200, Malcolm Warren wrote:
> : With BASIC authorization, which I used to use, the browser was sent an
> : "Authorization" header.
> :
> : This doesn't happen with FORM-based authorization.
> : I believe Tomcat deals with it all, but how? Anybody know?
> Not sure I understand your question -- with FORM-based auth:
> - the container detects an attempt to access a protected resource
> - container sends requestor to designated form page, which posts
>   to the blackbox "j_security_check"
> - success => user is taken to originally-requested page
> - failure => user is taken designated "no-go" page
> Is that the answer to your question?
> btw, please start new threads for new topics -- replying to an old
> message plays hell with thread-aware mail readers, even if you change
> the subject. ;)
> -QM

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message