tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Re: servlet and HTTP authentication
Date Thu, 27 Jul 2006 16:21:36 GMT
<Sorry for top post:  Notes e-mail client restriction>
If you configure Tomcat to NOT require authentication for this particular 
servlet, then your servlet can examine the credentials, and if they are 
absent or insufficient, send a 401 - Not Authorized response, which causes 
the browser to prompt for id/pass.  You can also manipulate the "realm" 
identified in that prompt by adding a WWW-Authenticate header to the 401 
WWW-Authenticate: Basic realm="My Document Management System"

I'm not sure if tomcat will interpret the resulting "Authorization" header 
in the next request, given that you asked him not to authenticate, but you 
can always ask for the contents of that header, strip off the "Basic " 
from the front, and Base64.decode the rest, yielding userid:password. 
Split on the ":" and you have your id and password.

Please respond to "Tomcat Users List" <>

To:     Tomcat Users List <>
Subject:        servlet and HTTP authentication

Hash: SHA1

Hi all;

gotta solve a very special authentication situation: Users need to have
access to certain file packages using an URL like


with <package-id> referring to an identifier stored in a local document
management system. User information (id, password) are stored in the DMS
database as well. To provide access to a certain package, I need to ensure

(a) the user is valid (thus, has authenticated)
(b) the user is owner of the package (which I can find out using the DMS
database as well)

However, following this approach I cannot use container-based
authentication as the DBMS user management repository is not easily
accessible via such a configuration but there are Java classes to
authenticate the user using an API which to be called from another Java
class, a servlet, ...

So, my question: Is there a way to configure Tomcat that, for a given
servlet or resource, a HTTP authentication window will appear and, then,
the data entered there (username, password) is given to the servlet in
order to do anything useful with it? I _suppose_ those parameters should
be available as part of the Request, but I don't know how to make tomcat
demand HTTP authentication _without_ automatically validating these

Any hints on that?
TIA and bye,

- --
Kristian Rink * * jab:
icq: 48874445 *  fon: ++49 176 2447 2771
"Wenn einer allein träumt, ist es nur ein Traum. Wenn viele gemeinsam
träumen, ist das der Anfang einer neuen Wirklichkeit." (Hundertwasser)

Version: GnuPG v1.4.2.2 (GNU/Linux)


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message