tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "alee amin" <>
Subject Tomcat Security - implementing custom security
Date Tue, 18 Sep 2007 10:46:45 GMT

I was able to implement the form based tomcat security on my web app. It was
good. But because of some restriction from client i need to modify it.

The password is placed as in encryppted form in DB, so i can not rely on
tomcat "authenticate" method which simple "select" the username/password
from DB and match it. I have seen the implementation of (

Now, what i did, i wrote a CustomRealm


import java.util.List;
import java.util.ArrayList;

import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.realm.RealmBase;

public class CustomRealm extends RealmBase{

    protected String getName() {
        return this.getClass().getSimpleName();

    protected String getPassword(final String username) {
        return retrieveEncryptedPassAndDecrypt(username);

    protected Principal getPrincipal(final String username) {
        final List<String> roles = new ArrayList<String>();
        return new GenericPrincipal(this, username, getPassword(username),

    public Principal authenticate(String username, String credentials) {
        String serverCredentials = getPassword(username);

        //credential encrypt

        boolean validated;
        if (serverCredentials == null)
            validated = false;
        else if (hasMessageDigest())
            validated = serverCredentials.equalsIgnoreCase
            validated = serverCredentials.equals(credentials);
        if (!validated) {
            return null;
        return getPrincipal(username);


        public String retrieveEncryptedPassAndDecrypt(String username){

I put that file in server/lib and changed the server.xml with this entry

<Realm className="" debug="0" />

It works fine.

but now, when i am deploying it to application, i am wandering how would i
communicate with Database, since my DB layer is combination of Spring,
Hibernate and all daos, beans of application will not be available here in
my this class, since it's in server side - application independent.

If i put this class in application WAR file and change the server.xml file
to point that class, my server give exception at startup "class not found"
which is quite logical.

Now, actually what i want - is to use the Tomcat Security to match
user/password (password is encrypted form in DB - encryption done by my
application before saving). If i use my Custom Realm, then how can i access
my DB Connection classes populated by Spring/Hibernate?

Muhammad Ali
Software Engineer - E2ESP

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message