tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Tomcat login
Date Tue, 30 Mar 2010 16:57:09 GMT

I don't want to interfere with the other people here who are trying to 
help you in the direction of a "pure Tomcat" solution.  I am incompetent 
in that area, while they are, and their recommendations may in the end 
be better than mine.
So let's say that there are alternative ways in which your basic issue 
could be solved, and what I am suggesting is one of these possible 

The solution I am suggesting consists of separating the "user management 
business" from the "Tomcat application business".

My first premise is that managing users, passwords, rules for these 
passwords, aging, people coming and going etc.. is a complicated and 
time-consuming task and, if there already exists an AD infrastructure 
(or 3) that does this and people who manage it, maybe you do not want to 
create and manage a 4th system.
(For example, if you create a mechanism based on a database, then you 
will probably have to synchronise that database with the 3 existing AD 
databases; and you will probably never obtain from the separate admins 
of the 3 AD domains, that they send you every day a new list of their 
users and passwords).
My second premise is that users, in general, do not like to have to 
login several times, and remember different user-id's and/or passwords 
for different things.
So if you can propose a solution which requires less additional 
programming and setup, and less management hassle later on, that may be 
to your own and to the users' advantage.

Based on your previous explanations, I will imagine that there are 3 
locations from where users can access your Tomcat system; that at each 
of those locations, there is a Windows domain based on an AD system; and 
that the users in each of those locations already login to their local 
domain before they access your Tomcat applications; and that these 
systems already manage the business of password rules and aging, and the 
day-to-day business of people coming and going.
If it is so, you can set up a system whereby the local login which each 
user has already done once when they started their workstation, can be 
used by your Tomcat application(s).  Your Tomcat application(s) will 
automatically receive, for each access, a unique and pre-authenticated 
user-id for each user, just as if you had done the authentication 
yourself at the Tomcat level.  This user-id can include the original 
domain name of the user (iow the location), so that if two users 
"john.smith" exist in two separate AD domains, they will not be confused.

This method does not necessarily cover all your needs, and it may still 
require some user data and some management at the Tomcat level, but it 
may also avoid having to re-implement and manage stuff that is already 
being done elsewhere.

If you are still interested, then go have a look here :

I am not saying that this is necessarily the solution for you, but it is 
maybe worth having a look at it.

(and no, I am not an employee of that company; it is just something I 
use myself with Tomcat, in contexts apparently similar to yours.)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message