tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sodastream <>
Subject Adding two-factor authentication to a Tomcat app??
Date Tue, 09 Aug 2011 19:52:37 GMT

Given: Commercial application running as a servlet on Tomcat. Tomcat
configuration (server.xml, web.xml) is open and may be modified. The app
handles its own authentication via a conventional username/password form on
a login page. I wanted to add a second factor to the authentication without
modifying the app (except for its Tomcat/servlet conf).

My idea was to tack on a custom Realm to Tomcat. It would be independent
from the application except I had to add a security constraint to its
web.xml. The Realm would authenticate the user using a password provided to
the user over a separate channel (SMS). After authentication the Realm would
be transparent and let the user interact with the application as usual --
all according to my theory.

After some hacking my custom Realm was in place. Following the logic in a
debugger I could see it worked as expected and reported successful
authentication back to the Tomcat machinery. To my disappointment my browser
still showed 403 Forbidden.

At this point I was stumped and realized I don't know enough about Tomcat.
Is my theory viable or flawed? Overlooked something? What's some better way
to add a second factor to authentication of an opaque application running on

All kinds of ideas and pointers are appreciated, thanks a lot.
View this message in context:
Sent from the Tomcat - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message