tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Basic and Form Authentication
Date Wed, 02 Dec 2009 22:24:22 GMT
Pid wrote:
> On 02/12/2009 17:34, Christopher Schultz wrote:
>> Hash: SHA1
>> André,
>> On 12/1/2009 6:57 AM, André Warnier wrote:
>>> Peter Crowther wrote:
>>>> 2009/12/1 Anthony Jay<>:
>>>>> As for cross application communication I will have to revisit our own
>>>>> code to see if there are static/singleton services that can be
>>>>> re-engineered and decoupled.
>>>> This may be one of the few appropriate times where you may want to put
>>>> code for the singletons (and all the classes that might be referenced
>>>> by your singletons) in common/lib.  It's not an ideal solution, but it
>>>> may save you considerable effort as those classes will then be loaded
>>>> by a single classloader, rather than the per-webapp classloaders.
>>> Or then, this may be a case where you want to explore front-ending these
>>> applications with an Apache httpd server, linked to Tomcat via an AJP
>>> connector.
>>> There is considerably more flexibility in Apache httpd regarding AAA
>>> (since for one it is not bound by the servlet spec), and once a request
>>> is authenticated, Apache and the connector will happily pass this
>>> authenticated id to Tomcat.  And you would have to change nothing to
>>> your servlet-engine side code, singletons and all.
>> Yeah, the problem is that AFAICT there is no standard way to do
>> form-based authentication with Apache httpd. HTTP BASIC AUTH works
>> wonderfully, but how would one implement form-based credential
>> gathering? Is a custom module required for this, or does httpd come
>> packaged with something that would work, even if a custom form /page/
>> would have to be developed that POSTs to a special URL?
> The only HTTPD module that supports form auth that I've heard of is 
> mod_auth_cookie, but it's not included with the distribution & has had, 
> I believe, varying levels of support during its life.
At the last ApacheCON Europe in Amsterdam, there was I believe also talk 
about a new Apache mod_session module.  But I've never seen any mention 
of it since.
I'll ask about that too.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message