tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Windows Local user Login
Date Thu, 01 Apr 2010 13:35:18 GMT
Hash: SHA1


On 4/1/2010 3:12 AM, St├ęphanie Cettou wrote:
> - the webapp running in a Microsoft Windows 2003 Server environment.
> Active directory is NOT use in this server.

Got it.

> - Actually the users authenticate with a user/passwords/roles in a SQL
> 2000 Database.

Perfect! There's no reason to mess around with AD/NTLM/Kerberos or any
of that stuff: just use a standard Realm that ships with Tomcat to
authenticate against a JDBC user database.

Uh, does "SQL 2000 Database" really mean "Microsoft SQL Server 2000"?

> <Realm  className="org.apache.catalina.realm.JDBCRealm"

I highly recommend that you do *not* use JDBCRealm, as this realm is
"effectively single-threaded" according to the Tomcat developers.
Consider using DataSourceRealm instead, which uses a pool of JDBC
connections to perform authentication.

>              driverName="net.sourceforge.jtds.jdbc.Driver"

If you're running Microsoft SQL Server, you should probably be using the
Microsoft JDBC driver. Although, I did look up jTDS and it looks like
it's a decent driver.

>              userTable="Users" userNameCol="UserId" userCredCol="Password"
>              userRoleTable="UsersFeatures" roleNameCol="FeatureID" />
> like standard tomcat authentication.

Okay, great. It wasn't clear that you had an acceptable authentication
solution already implemented.

> But, I need to change to implement my goal...
> c) Can you use your own database? Yes (but I must to be implement
> complex authentication)

I see. Let's go to your previous message:

> - Check type of password (more that 8 char, special char,...)

Tomcat does not provide any way to change passwords, so you'll have to
implement these items yourself in your password-change code.

> - Ask new password every month (from the web site)

Again, you'll have to implement this yourself.

> - Block the user after 3 failed login

Tomcat does not implement this until recent versions of Tomcat 6.x. Are
you able to upgrade to the latest Tomcat 6.x? You can use LockOutRealm
to do /some/ kind of blocking (I'm not sure exactly what your
requirements are, and I'm not sure exactly what the LockOutRealm does to
enforce the locking).

> - Block inactive user (ex after 90 days)

Tomcat does not do this, either: you'll have to either use your own
authentication system (such as securityfilter along with your own Realm
implementation that includes additional data-checking during the login)
or in some other way.

We implement features like the above in our project by using
securityfilter with a custom Realm, plus a "credential Filter" which
checks password age and user status, and then does things like redirect
all requests to the "change password" page if you need to change your
password, etc.

Perhaps something like that would work for you.

Hope that helps,
- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message