tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Single-sign on without form-based authentication
Date Thu, 30 Aug 2007 20:58:32 GMT
Hash: SHA1


lightbulb432 wrote:
> Anytime I want to use more than two credentials, I have to provide my
> own Realm implementation. But the only time I need to do the String 
> concatentation is when at least one of the additional credentials
> (i.e. beyond username and password) is provided at request-time by
> the user, rather than at deployment-time?

Well, I think that if you are going to do your own Realm implementation,
you're better off with my (long) suggestion from my previous post. The
concatenation thing basically doesn't work... there's no way (unless you
use javascript... <shudder>) to concatenate that information before the
authenticator gets its hands on the credentials.

> So for the example you gave with the "appId" property on my Realm 
> implementation, I wouldn't need to do String concatentation because
> the user is only providing two credentials?

Correct. The big problem with the Realm interface is that it doesn't
accept an HttpServletRequest object... you only have access to the
information that Tomcat wants you to have (like the username and
password, and some other stuff like the message digest to use... MAYBE).
Like I said, the Realm interface is a bit baffling.

> But if the user were specifying what application they wanted to log
> into, then I'd have to concatenate that before passing to the
> authenticate method because Realm hasn't been instantiated with that
> information?

Er, yeah, but I have no idea how you'd do that. When you write your own
Realm, you're still just getting the information Tomcat is willing to
supply. If you want to pass more arguments, I think you're talking about
replacing the authentication Valve at that point. Good luck! ;)

> If your HTML form has a "j_username", "j_password" and
> "myThirdCredential", where would you concatenate j_password and
> myThirdCredential?

I dunno. The plan goes like this:

1. Add the 3rd credential to your login form.
2. ???
3. Profit.

> I'm guessing you'd also have to override the servlet pointed to by
> j_security_check - if I'm correct, how would you override this?

You basically can't.

> (My guess is the servlet class pointed to by the text
> "j_security_check" is hardcoded somewhere within Tomcat?)

I don't think it's a servlet... I think it's a Valve that intercepts
requests to /j_security_check when applying authentication and
authorization is appropriate for a particular (previously-requested) URL.

- -chris
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message