tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fred Toth <>
Subject Re: Customizing BASIC authentication
Date Fri, 20 Aug 2004 01:22:26 GMT

Thanks to you both, but my question is not so much about how
to get the user name in the request.

Instead, it's this: I need to use basic authentication (i.e. the browser
pops up the login), but then I need to run custom code to actually
check the login and password with an internal system, instead of
the usual options available out of the box (memory realms, jdbc realms, etc.)

I thought at first I would need a custom realm, but several messages on this
list gave me the impression that a realm can't really affect the 
I need to not only do custom authentication, but the response will also be
completely customized to the user who logs in.

I'm still learning here, but realms seem to be too limited, valves seem to
be too complex for the job.

Is there a simple middle ground?

Thanks again,


At 02:41 PM 8/16/2004 -0400, you wrote:
>Someone please correct me if I'm wrong here...
>Also be aware that non-protected pages will not provide you with a value to
>request.getRemoteUser().  I had assumed I could get the remote user from any
>page once the user logged in, but it doesn't work as I expected.  I believe
>there *was* a bug report over on the TC bugzilla system and the response I
>remember was that the system was working as designed.
>On Saturday 14 August 2004 12:13 am, Jacob Kjome wrote:
> > You can use request.getRemoteUser() to obtain the username.  The password
> > is not really accessible except by examining the http headers.
> >
> > Jake
> >
> > At 11:21 PM 8/13/2004 -0400, you wrote:
> > >Hi all,
> > >
> > >I've been spending the last few hours reading about realms,
> > >valves, authenticators and the like, and I'm totally confused.
> > >I'm hoping if I describe my situation, someone can help me
> > >cut through the fog.
> > >
> > >I'm working on a simple web app that will feed custom RSS XML
> > >to clients that must use basic authentication. In my application,
> > >I need to do more than just look up users somewhere. Instead, the
> > >login/password values returned via basic authentication headers will be
> > > used in some fairly complex ways to both authenticate and then
> > >construct the custom response.
> > >
> > >What is the simplest way to customize basic authentication
> > >in Tomcat 4? It seems that realms are not the way to go, since
> > >they just handle authentication and have nothing to do with the
> > >request/response. Valves/authenticators seem like overkill. Form
> > >based authentication is not an option.
> > >
> > >Can I have Tomcat manage basic authentication headers but pass
> > >the login/password values to my code? And can I then have access
> > >to that information in the servlet that creates the response?
> > >
> > >Many thanks,
> > >
> > >Fred
> > >
> > >
>To unsubscribe, e-mail:
>For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message