tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Authentication and authorization questions
Date Thu, 30 Aug 2007 13:23:36 GMT
Hash: SHA1


lightbulb432 wrote:
> But if the login and login-error pages are the same page (meaning
> that when someone fails an access check they get redirected to the
> login-error page, which is actually the login page where they must
> re-enter their credentials) how could you put information into the
> request or session scope to be accessed by the page?

You would have to do it manually. I dunno... count the number of times
the page is displayed with no credentials? It's not a graceful thing to
do by any means. What we do is have two separate pages: the login page,
and the login error page which basically says "error=true; forward to
login-page;". Then the login page looks for the "error" flag. You need
two pages for this, though.

I haven't tried it, but you might be able to make the login-error page
something like "login.jsp?failed=true". That might work.

> In fact, how could I add all sorts of state to the request so that
> the message could read "Login failed for page ${failedPageName}" or
> some other parameterized text?

You don't have access to the saved request or anything like that. You
might be able to hunt around for it, but there would be no guarantee
that it would work across Tomcat versions, since it's not standard.

> I agree completely. I've been having a lot of problems with Tomcat 
> authentication and authorization, and would like to use a custom
> solution.

I don't really see any problems... mainly shortcomings.

> The only thing that deters me, and which applies to securityfilter as
> well, is the lack of SSO across contexts.

Yup; securityfilter doesn't do SSO. But, you could potentially write
your own securityfilter-friendly SSO valve. Just look at the existing
SSO Valve and you might be inspired.

> The securityfilter projects says they're looking into SSO, but the
> project looks inactive enough that I'm not going to hold my breath.

securityfilter is all but dead AFAICT. Fortunately, it's pretty much got
everything it needs right now. If you submit a patch or an idea, the
maintainer will probably put it in; he's just not particularly motivated
to add stuff to it right now.

> I tried looking for other Java servlet security products or projects,
> but nothing really came up.

I think that's because most people are scared of "security" projects ant
tend to rely on the container for the whole shebang. I think that's a
reasonable stance. On the other hand, securityfilter already exists...
why reinvent it? ;)

- -chris
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message