tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lightbulb432 <>
Subject Re: Single-sign on without form-based authentication
Date Thu, 30 Aug 2007 20:14:38 GMT

Wow, those are good suggestions. I was thinking about the String
concatenation, but didn't think it was worth considering further until you
just mentioned it. So let me see if I have this straight:

Anytime I want to use more than two credentials, I have to provide my own
Realm implementation. But the only time I need to do the String
concatentation is when at least one of the additional credentials (i.e.
beyond username and password) is provided at request-time by the user,
rather than at deployment-time?

So for the example you gave with the "appId" property on my Realm
implementation, I wouldn't need to do String concatentation because the user
is only providing two credentials? But if the user were specifying what
application they wanted to log into, then I'd have to concatenate that
before passing to the authenticate method because Realm hasn't been
instantiated with that information?

If your HTML form has a "j_username", "j_password" and "myThirdCredential",
where would you concatenate j_password and myThirdCredential? I'm guessing
you'd also have to override the servlet pointed to by j_security_check - if
I'm correct, how would you override this? (My guess is the servlet class
pointed to by the text "j_security_check" is hardcoded somewhere within

Christopher Schultz-2 wrote:
> Hash: SHA1
> Lb,
> lightbulb432 wrote:
>> Views would definitely allow me to keep the two tables separate, but then
>> I'd
>> have to authenticate against the two source tables separately (i.e. each
>> application would point to the source table rather than to the view). If
>> pointing both applications to the common view, then doesn't the original
>> problem exist?
> Don't do that. Create separate views for each of your applications, and
> use the app-appropriate view for authentication.
> If you think this sounds like too much trouble, you're right. Just
> remember that Tomcat implements the simplest thing that could possibly
> work wrt authentication. If you don't like it, you can always override
> the authentication mechanism with something else (securityfilter!) or
> hand-roll your own realm.
>> I took a look at JAASRealm and its authenticate method only takes two
>> parameters (username and "credentials", which is really just a single
>> password string). 
>>> Is it possible to pass my other credentials to the JAASRealm so that I
>>> can
>>> pass everything at one time (username, password, other credentials) to
>>> the
>>> stored procedure, rather than - if I've interepreted this correctly -
>>> authenticating once through the JAAS username/password, then again
>>> through
>>> my stored procedure to "cancel out" the previous authentication.
> Uh, you could always pass a concatenated "credential" which includes
> more than just the password. For instance:
> JAASRealm.authenticate(username, appId + ":" + hash(password));
> Then, in your stored procedure, tear apart the "credential" and use part
> of it as the app identifier. Or, put the appId into the username.
> Whatever you want to do. There are lots of options.
>> So if not JAASRealm, perhaps I need to look at something else to
>> customize?
>> I could of course implement my own authentication, but if I can get
>> around
>> this one shortcoming of the "credentials" concept being considered a
>> password String rather than a generic Collection of multiple Objects,
>> then I
>> think I might be able to use Tomcat authentication.
> You can still use Tomcat's authentication "mechanism"... you just might
> have to use your own Realm implementation. Frankly, the
> org.apache.catalina.Realm interface is baffling to me.
> One option is to create a Realm that extends JDBCRealm (or, better yet,
> DataSourceRealm) and override the authentication method to do your own
> SQL queries, but keep all the configuration options provided by the
> superclass. You can even add a configuration option by adding a mutator
> and accessor to specify the app's id. Then you can do something like
> this in your context.xml:
>       <Realm  className=""   // extends JDBCRealm
>              driverName=""
>           connectionURL="jdbc:mysql://localhost/authority"
>          connectionName="test"
>       connectionPassword="test"
>                userTable="users"
>              userNameCol="user_name"
>              userCredCol="user_pass"
>           userRoleTable="user_roles"
>             roleNameCol="role_name"
>                   appId="application-1" />
> Just make sure you have setAppId and getAppId methods on your Realm
> implementation, and then use them when you build your SQL query to
> verify a login.
> - -chris
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla -
> iD8DBQFG1wuQ9CaO5/Lv0PARAh6IAKCIY9aMp59xFxXHIj9z4eCfF+SYngCeMfDF
> O1Gr8CyGEsukK3BFtBw5voQ=
> =Tzs2
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View this message in context:
Sent from the Tomcat - User mailing list archive at

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message