tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Chaney <>
Subject Authenticating Users
Date Sat, 21 Feb 2009 20:54:34 GMT

We have a site which has users log in to create/edit account 
information. Nothing unusual there. Currently this is implemented with a 
JDBCRealm and it all works OK.

However, we have a 'marketing requirement' to remove case sensitivity 
(but NOT case preservation) from user names and passwords. I cannot see 
anyway to do this directly with JDBCRealm or DataSourceRealm. Unless I'm 
missing something, the username and password provided to j_securitycheck 
are explicitly matched for case.

Additionally, we will shortly need to offer an alternative login 
mechanism - using either a login name or an email address in the same field.

So far, I can see the following options:

1. Implement a filter that 'sits around' the login form and translates 
case on password and username to lower case and create a lowercase 
'shadow' password table in my database. So, when a request is received 
for the 'secured' pages this would be fed through this filter. However, 
I don't think this will work, because I suspect that the security check 
is run BEFORE any filters that I have configured in web.xml.

2. Implement some java script to convert entered fields to lower case on 
the login form (GHASTLY!) Still doesn't fix the password thing.

3. Implement my own Realm - intercept the requests - identify the 
supplied string in the username field as an email address (or not), look 
up the user by email address in the database (which in my case must be 
unique). As I use PostgreSQL I can then write a 'like' query to case 
insensitively find matching user and password. Upside - it should work. 
Downside - I then have to add the resulting jar to $TOMCAT_HOME/lib on 
all my servers and update the MBean descriptor (which I don't completely 
understand how to do - advice?)

4. Possibly do something similar to 3 but with a JAAS.

Does anyone have any suggestions or comments? I'm perfectly OK with 
using Acegi - my only issue with that after a browse through the docs I 
don't see how I can meet my requirement of username/email and password 
case insensitive but case preserving without additional code for Acegi 
either. Obviously I can take that issue to the acegi/spring forums if 
acegi is the only solution (that is 1, 3, and 4. above won't work - 2. 
is out)

Thanks in advance

Alan Chaney

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message