tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From João Nuno Silva <>
Subject Re: POST replication
Date Wed, 18 Nov 2009 19:13:27 GMT
Caldarale, Charles R wrote:
>> From: João Nuno Silva []
>> Subject: Re: POST replication
>>  From what I've seen in the FormAuthenticator class Mark pointed me to,
>> Tomcat doesn't create a new request, instead it fills it's fields with
>> the values from the previous request. I'll try this in the near future
>> and let you guys know how it went. Thanks!
> I'm curious as to why you're reinventing this particular wheel.  Why not let Tomcat's
built-in authentication handling do the hard work for you, and you just supply either a custom
Realm or a JAAS-compliant login module to do the actual user validation?  That would seem
to be a lot easier and a lot less dependent on the internals of the particular Tomcat version
you happen to be using.
I'm doing this as an hobby, not at work! With this in mind, my reasons are:
1) I want to have an authentication module that's independent of the 
servlet container used (because I think this behavior of request replay 
isn't a standard, but I might be wrong...);
2) I believe I can better optimize session creation to reduce memory 
usage (because I won't save the previous request in session). I think 
this way I can be more tolerable to DoS attacks from unauthenticated users;
3) I'm learning a few things in the process of reinventing this wheel ;)
>  - Chuck
is thus for use only by the intended recipient. If you received this in error, please contact
the sender and delete the e-mail and its attachments from all computers.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message