tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Anonymous access with Tomcat Authentication configured.
Date Tue, 09 Oct 2007 20:03:09 GMT
Hash: SHA1


Semen Vadishev wrote:
>  Christopher,
> 2007/10/9, Christopher Schultz <>:
>>>> You cannot do this with Tomcat's authentication mechanism. You will
>>>> have to provide an alternative implementation. I recommend looking
>>>> st securityfilter ( ).
>>> Well, securityfilter doesn't satisfy some servlet's requirements
>> Like what?
> Sorry if I was wrong, but does security filter supports such auth-methods as
> BASIC, DIGEST, etc.? It was pointed that "BASIC authentication will be
> supported in an upcoming 1.1 release" at
> . But at
> I found some newer release
> notes, but I found nothing about added support of other auth methods.

Right. The documentation for securityfilter is horrible. Fortunately,
there's not much code there, so it's possible to go into it and see if
something is implemented and how.

I do not believe that securityfilter supports BASIC, DIGEST, or
CLIENT-CERT authentication schemes. It might support BASIC, but I don't
use that so I don't know.

>> ...why you want your own servlets to do the authorization instead
>> of the container (or securityfilter)?
> This is the main question. Today we decided to do nothing new with
> authentication and use special "guest" user in the first version of servlet.

I'm not sure what that means.

> And only if users will ask for anonymous access I described earlier, we'll
> develop custom mechanism or maybe use security filter.

I'm not convinced you need either. You can use the built-in Tomcat
authentication to do logins. You can also use the built-in
authorization, but it looks like you don't want authorization at all:
you want a site that basically lets anyone use it, but also allows
logins for other things (but you haven't mentioned any of them).

Tomcat can do this: just don't make anything protected except for a
single "protected" page that can be used to trigger a login request.

> As I understood you
> represents interests of security filter's developers (sorry if it's mistake)

Not really. I use securityfilter because Tomcat's implementation does
not meet my needs (I need to be able to accept unexpected logins instead
of first requesting a protected resource), but I am not a contributor.

> it will be great if you' ll look at servlet's code

I'm not going to read through your code to figure out your requirements.

>>> It will be my first implementation, so any help will be appreciated.
>> First servlet implementation, or first authentication and authorization
>> implementation?
> First  authentication and authorization implementation.

Again, I don't think you need to implement anything yourself, whether
you use Tomcat's built-in A&A or if you use securityfilter.

- -chris
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message