tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Executing Valve before Basic Authentication takes place
Date Wed, 05 Jul 2006 01:46:10 GMT
Mark is correct:  request.addHeader has been deprecated in 5.5.x+, and 
doesn't actually do anything at all.  See Mark's response for the correct 
way to add your own request header.

Alternatively, if the set the userPrincipal on the Request in your Valve, 
then Tomcat won't bother to try and authenticate the user at all.

"Böhringer Jochen" <> wrote in message 

>Again, put your valve in host, not context if you want it to be called
>before authentification

Sorry I misunderstood your hint. Now I have this configuration (with Valve 
and Host element on the same level):

<Valve className="de.tccproducts.valves.PenFrameworkAuthenticationValve" />

<Host name="localhost"
            autoDeploy="false" deployOnStartup="false" deployXML="false">

Now my valve is called before the response the authentication takes place. 
But adding the Authorization header before the BasicAuthenticator is called 
does not prevent the BasicAuthenticator from sending back a SC_UNAUTHORIZED.

I add the basic authentication header using this method in my valve:

request.addHeader("Authorization", "Basic am9jaGVuYjpqb2NoZW5i");

But if I have a look in the BasicAuthenticator implementation I can see, 
that the basic authenticator reads the header's value using this code:

MessageBytes authorization =

So I think the request object I modify does not reflect its changes to the 
CoyoteRequest the BasicAuthenticator reads the values from. Is there a 
solution to modify the CoyoteRequest?


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message