tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gregor Schneider" <>
Subject Re: Question regarding FormAutenticator
Date Wed, 03 Sep 2008 14:14:07 GMT
Hi there,

On Wed, Sep 3, 2008 at 1:50 PM, H. Hall <> wrote:
> Assuming that your login form is a jsp, why don't you put something like
> this in it:
> if(isOKLogin ){
>     RequestDispatcher rd = request.getRequestDispatcher("/index.html");
>     rd.forward(request, response);
>     return;
> }
> else etc. etc.

nope, that won't work, since I need container-based securitx with
SingleSignOn for all WebApps.

That means that I *must* authenticate via j_security_check to tell
Tomcat that the user is authorized.

However, j_security_check is an internal method from Tomcat, and the
URL to be authenticated is stored somewhere within Tomcat, no way to
change it at all.

The only options I'm having seem to be

- subclass FormAuthenticator and patch Tomcat

- use a JAAS-implementation, but I got no Idea if this will work,
besides, you'll have to deal with the JAAS-implementation (i.e.
JGuard, JOSS etc.) which again means to spend quite some time to
understand and customize them.

In Websphere f.e. you can use a filter, filtering "j_securitx_check"
and then manipulate request / response, however, that does not work
within Tomcat.
A valve would work, but I doupt that I can modify request / response
in such a valve.


what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message