tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Johan Thorselius <>
Subject Implementing custom authentication on Tomcat 6.x
Date Tue, 20 Oct 2009 13:22:55 GMT
I have an issue with finding a proper custom authentication mechanism with
Tomcat (6.x). Currently I have a Tomcat 6.0.20 setup with the standard

The http-header is populated on an outside authentication server so the user
is considered already authenticated when he reaches Tomcat.

I have my own callback handler class which takes the name of the user and a
list of roles of the user from the incoming http-header and populates the
subject structure with a UserPrincipal and some RolePrincipal:s, this works
fine. My goal is to use declarative authorization JAAS in Tomcat.

But I am looking for how to get the Tomcat to understand that the
authentication mechanism is not to open a userid/pwd-box (using login-config
as BASIC etc.) but instead to simply accept what is coming in the header as
populated in the subject structure. My LoginModule I can itself have to
accept the subject structure, but something is missing as I don't know how
to work around the login-config as BASIC etc. etc.

I may not be on the correct track, but my research goes to
NonLoginAuthenticator, which extends the same class AuthenticatorBase as
BasicAuthenticator, DigestAuthenticator, and FormAuthenticator. But I cannot
find the 'hook' how to use NonLoginAuthenticator instead, if I am on the
correct track...


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message