tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rpr_listas <>
Subject Re: Form authentication with captcha...
Date Wed, 04 Jul 2007 08:15:03 GMT
Hello David,

I know that this is out of the specification, and bind my application to 
this server implementation, but modify the realm has the same problem, 
transform my application in a tomcat-only application.

Build a custom authentication is not solution, because this disconnect 
the application from the J2EE standard, and I prefer to fit to standards 
in the rest of the application. I think that the better approach could 
be a custom authentication servlet and this servlet store a new 
Principal in the container. But i think that in J2EE can't access to do 
this from servlet.

Best regards.

David Delbecq escribió:
> Hello,
> Form authnetificator does form based authentification regarding the
> corresponding J2EE specifications, which specify the submit name of the
> username field (j_username), the submit name of the user password
> (j_passwrd), and that's all. Of course you, developper of webapplication
> can customize form (adding company logo, etc), but the specs states that
> user must provide username and password and submit it to
> /j_security_check url. Adding a captcha in this specs or other
> informations is not possible like that.
> The only 2 ways i see to add captcha and not break specs is either
> 1) to create a realm that expect the captcha to be appended or perpended
> to password.
> eg:
> j_username: johnSmith
> j_password: 12345@captcha=AdQ1
> The realm could probably compare the provided captcha with some value
> stored somewhere else
> the j_password field could be constructed, client side, with javascript,
> from 2 not submitted fields.
> or
> 2) Don't rely on container security and provide your own security with
> you own whatever forms.
> En l'instant précis du 03/07/07 10:45, rpr_listas s'exprimait en ces
> termes:
>> Hi all!
>> I'm thinking in implement a captcha
>> ( protection for web-based
>> authentication. I'm looking in the tomcat surce and the form
>> authentication seems be implemented by
>> org.apache.catalina.authenticator.FormAuthenticator class.  But I'm
>> not sure if change this class is the right way.
>> Are there other better method to do this?
>> Must I change the FormAutenticator class or must extend it in other
>> class and i can refer to it in the tomcat configuration ?
>> Thanks in advance and best regards.
>> Ricardo.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message