tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lightbulb432 <>
Subject Re: Authentication and authorization questions
Date Thu, 30 Aug 2007 00:49:14 GMT

Great response. Follow-up questions below:

Christopher Schultz-2 wrote:
> When you login using form-based authentication, where invalid login
> attempts
>> redirect to the "form-error-page", how do you add a custom message to
>> that
>> page saying "Login Failed"? I ask because common practice is to send the
>> user to the same login page rather than a different page.
> You can do whatever you want, since you get to control the pages for
> login and login-error.

But if the login and login-error pages are the same page (meaning that when
someone fails an access check they get redirected to the login-error page,
which is actually the login page where they must re-enter their credentials)
how could you put information into the request or session scope to be
accessed by the page?

In my login/login-error page, I could have a ${loginFailedMessage} printed
in bold, red text, but where would I set this text in the first place for a
generic message like "Login failed"? The loginFailedMessage variable
wouldn't be set when the login page is accessed through a GET, but would be
when forwarded/redirected to by Tomcat upon login failure. 

In fact, how could I add all sorts of state to the request so that the
message could read "Login failed for page ${failedPageName}" or some other
parameterized text?

In fact, I don't much care for the TC implementation of the whole
> authentication thing anyway, so I have opted to dump it and use
> securityfilter instead. Primarily, it allows me to do direct logins
> (submit to j_security_check even when no protected resource has been
> requested), and I can write my own authenticator that isn't tied to
> Tomcat's implementation in any way. That allows me to switch TC versions
> or to another vendor entirely without changing a single thing in my
> implementation. But that's just me.

I agree completely. I've been having a lot of problems with Tomcat
authentication and authorization, and would like to use a custom solution.
The only thing that deters me, and which applies to securityfilter as well,
is the lack of SSO across contexts. Although I don't see an immediate need
for SSO across contexts, I wouldn't want to have to rewrite an entire
security architecture if the need arises. (And it may well arise if you
decide to split up a large website's modules into different contexts.)

The securityfilter projects says they're looking into SSO, but the project
looks inactive enough that I'm not going to hold my breath. I tried looking
for other Java servlet security products or projects, but nothing really
came up.

Any thoughts on this all?
View this message in context:
Sent from the Tomcat - User mailing list archive at

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message