tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lightbulb432 <>
Subject Authentication and authorization questions
Date Wed, 29 Aug 2007 04:33:29 GMT

I have several questions about authentication and authorization in Tomcat
below, so answer only what you can :) Thanks.

Where does Tomcat authentication fit into the request processing lifecycle?
Does it happen before even the very first filter gets called? What happens
just before and just after authentication?

Where does the role-based authorization fit into this process?

When you login using form-based authentication, where invalid login attempts
redirect to the "form-error-page", how do you add a custom message to that
page saying "Login Failed"? I ask because common practice is to send the
user to the same login page rather than a different page.

Is it configuration whether Tomcat uses redirects or forwards after
successful or unsuccessful attempts? What's the default for both?

How can you use JDBCRealm or DataSourceRealm with foreign keys from roles
table to user table, rather than requiring the roles table to duplicate
whatever field (e.g. username, email address) will actually be entered into
the login screen? I ask because using simple text-matching rather than using
the primary key of the user table seems a bit inefficient, but more
importantly it may be disallowed from data standards in some organizations.

View this message in context:
Sent from the Tomcat - User mailing list archive at

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message