tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: servlet and HTTP authentication
Date Fri, 28 Jul 2006 16:17:00 GMT

> However, following this approach I cannot use container-based
> authentication as the DBMS user management repository is not easily
> accessible via such a configuration but there are Java classes to
> authenticate the user using an API which to be called from another Java
> class, a servlet, ...

One option is to create your own Realm implementation and use that for
authentication. I think you can pretty much use any authentication
mechanism that you want (including the existing Java classes you mention
that are available).

It's a relatively simple interface that you have to implement that
basically takes a username and password and returns a Principal object.
You'll have to install your new class into Tomcat (i.e. it can't just go
into WEB-INF/classes) because Tomcat needs direct access to that class
before your webapp is initialized.

If this solution doesn't seem to meet your needs, you can try looking at
the securityfilter project ( I
have used this filter for doing authentication and authorization. It can
be used as a drop-in replacement for Tomcat's built-in authentication,
and you can configure your own authenticator that does anything it
wants. For example, I created an authenticator that logs failed logins
as well as recording the IP address of the offending remote host. This
last part is not possible (that I know of) using the Tomcat Realm strategy.


View raw message