tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Anonymous access with Tomcat Authentication configured.
Date Tue, 09 Oct 2007 14:00:52 GMT
Hash: SHA1


Semen Vadishev wrote:
> But behavior I need is: 1. If Tomcat gets request with no user
> information data (username/password) it should pass it to servlet and
> then servlet after handling request's URI according to pba config
> file may send SC_UNAUTHORIZED (if it needs authenticated user) or
> SC_FORBIDDEN (if any access denied). 2. If Tomcat gets request with
> username and password it should check them according to
> conf/tomcat-users.xml and if user authenticated pass it to servlet.

You cannot do this with Tomcat's authentication mechanism. You will have
to provide an alternative implementation. I recommend looking st
securityfilter (

It's implemented as a filter, so it works with any servlet container. It
can work with Tomcat's built-in realms or you can write your own. It
supports unsolicited logins (i.e. you can use your own login page that
submits to j_security_check without having to first request a protected
resource). It has configuration similar to that in web.xml, so you don't
have to learn a new configuration format.

You are free to use securityfilter's authentication mechanisms and
completely skip authorization, which is what it looks like you want to
do (by implementing it yourself).

Hope that helps,
- -chris
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message