tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hauke Mehrtens <>
Subject Using two authentication methods for one application
Date Wed, 01 Jun 2011 09:48:31 GMT
I created my own authentication method beside BASIC, DIGEST, FORM, and
CLIENT-CERT to allow the user to authenticate against our own SAML IdP
and enter the user credentials on a page provided by the IdP. The
authentication method of the IdP uses a Java applet to access a smart
card and get the user credentials, so the web browser has to be
redirected to some different page to login.

To add our own authentication method we extended
org.apache.catalina.authenticator.AuthenticatorBase and added the it to
the list of supported methods in the tomcat configuration. This is
working like expected.

Now it should be possible to also log into the application with a from
based authentication in addition to the IdP login, the normal FORM
method would be nice. The user should select at some entry page what
method he wants to use and then the correct authentication method should
be used. I tried to modify the web.xml of my web application to add both
methods, but it did not work.
Adding two <login-config> or two <auth-method> is not allowed. Now my
plan is to implement some additional authentication method which
supports both or a method which will forward the request to some other
method ( my own or FORM) depending on some attribute in the http
request, but this does not look clean to me. Is there a clean way to do

I am working on the Tomcat included in the JBoss 5.1 (I think it is
6.0), but it should also work on other versions (>= 6.0) so that we are
able to secure any web application running on some tomcat.


Please add me to the CC as I am not subscripted to the list.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message