tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Optional authentication
Date Fri, 03 Aug 2007 01:33:31 GMT

"Bruno Harbulot" <> wrote in message
> Hello,
> I would like to be able to require authentication optionally and make my
> servlets or JSPs behave differently depending on which Principals they 
> get.
> For example, I'd like a GET to be able to return a 200 status and not
> 401, even if the user has not been authenticated.
> Presumably, this is similar to what happens on web sites that say in a
> corner "You're not logged in", but still display some information (e.g.
> forums).
> I've managed to set up authentication using either HTTP Basic or SSL
> client certificates. However, I'm not sure if there are mechanisms to
> let the servlet handle the roles and restrictions "manually", for
> example using request.getUserPrincipal().
> When I use this type of configuration:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Test</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
> the authentication works, but removing the <auth-constraint /> element
> removes any authentication challenge, even if, in this case, a
> recognised SSL client certificate is used (whether using
> clientAuth="true" or clientAuth="want"). I'd also like the solution not
> to rely on
> request.getAttribute("javax.servlet.request.X509Certificate"), as I'd
> like to be able to keep the abstraction provided by <auth-method />, etc.
> Any suggestions? I might have missed something in the documentation.

You haven't missed anything.  Tomcat simply doesn't try to authenticate a 
user if  authentication isn't required.  Simplest and most portable is to 
create a Filter that is configured as the first filter, and takes an 
auth-method init param to tell it what to use, and then wraps the request in 
a HttpServletWrapper that overrided getUserPrincipal before sending it on 
it's way.

Other options include extending one or more of Tomcat's Authenticators, and 
configuring your app to use your Authenticator rather than Tomcat's.

> Best wishes,
> Bruno.
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message