tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Basic and Form Authentication
Date Wed, 02 Dec 2009 22:22:10 GMT
Christopher Schultz wrote:
> Hash: SHA1
> André,
> On 12/1/2009 6:57 AM, André Warnier wrote:
>> Peter Crowther wrote:
>>> 2009/12/1 Anthony Jay <>:
>>>> As for cross application communication I will have to revisit our own
>>>> code to see if there are static/singleton services that can be
>>>> re-engineered and decoupled.
>>> This may be one of the few appropriate times where you may want to put
>>> code for the singletons (and all the classes that might be referenced
>>> by your singletons) in common/lib.  It's not an ideal solution, but it
>>> may save you considerable effort as those classes will then be loaded
>>> by a single classloader, rather than the per-webapp classloaders.
>> Or then, this may be a case where you want to explore front-ending these
>> applications with an Apache httpd server, linked to Tomcat via an AJP
>> connector.
>> There is considerably more flexibility in Apache httpd regarding AAA
>> (since for one it is not bound by the servlet spec), and once a request
>> is authenticated, Apache and the connector will happily pass this
>> authenticated id to Tomcat.  And you would have to change nothing to
>> your servlet-engine side code, singletons and all.
> Yeah, the problem is that AFAICT there is no standard way to do
> form-based authentication with Apache httpd. HTTP BASIC AUTH works
> wonderfully, but how would one implement form-based credential
> gathering? Is a custom module required for this, or does httpd come
> packaged with something that would work, even if a custom form /page/
> would have to be developed that POSTs to a special URL?

Yes, the OP already hit that wall too.
There exist a plethora of Apache/mod_perl modules that do that, 
available on CPAN, and being myself a mod_perl guy and using such 
modules all the time, I never throught it could be an issue.
But strangely enough indeed, it does not appear that there exists a 
standard Apache module, part of the standard distribution, which handles 
form-based logins.
I find that quite puzzling, and cannot quite believe this.  I will 
enquire on the Apache forum about it.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message