tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: servlet and HTTP authentication
Date Fri, 28 Jul 2006 16:17:00 GMT
Kristian,

> However, following this approach I cannot use container-based
> authentication as the DBMS user management repository is not easily
> accessible via such a configuration but there are Java classes to
> authenticate the user using an API which to be called from another Java
> class, a servlet, ...

One option is to create your own Realm implementation and use that for
authentication. I think you can pretty much use any authentication
mechanism that you want (including the existing Java classes you mention
that are available).

It's a relatively simple interface that you have to implement that
basically takes a username and password and returns a Principal object.
You'll have to install your new class into Tomcat (i.e. it can't just go
into WEB-INF/classes) because Tomcat needs direct access to that class
before your webapp is initialized.

If this solution doesn't seem to meet your needs, you can try looking at
the securityfilter project (http://securityfilter.sourceforge.net/). I
have used this filter for doing authentication and authorization. It can
be used as a drop-in replacement for Tomcat's built-in authentication,
and you can configure your own authenticator that does anything it
wants. For example, I created an authenticator that logs failed logins
as well as recording the IP address of the offending remote host. This
last part is not possible (that I know of) using the Tomcat Realm strategy.

-chris



Mime
View raw message