tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <>
Subject Re: How to authenticate our webapp against our own relm only
Date Tue, 21 Jul 2015 16:13:08 GMT

Am 21. Juli 2015 17:50:43 MESZ, schrieb Arno <>:
>Christopher Schultz <chris <at>> writes:
>> Accessing a protected resource triggers an authorization check, which
>> also required authentication. Some realms cache authentication
>> information while others do not. The authenticator is a Valve which
>> uses the Realm to perform the authentication and gather authorization
>> information (e.g. roles). If the user isn't authenticated, then they
>> are challenged for credentials (login form, SSL client certificate,
>> HTT BASIC/DIGEST auth, etc.) and the credentials they provide are
>> fed back into the realm to authenticate the user. Then the roles are
>> checked for authorization.
>ok, thanks for this explanation, that's makes it more clear for me. One
>question about "...Accessing a protected resource..."
>Which resources are protected is decided by what kind of configuration?
>Because I do nothing special for this, I think that my configuration is
>using the normal defaults for BASIC authentification.
>Perhaps there is some potential space to increase performance by
>this authentification for a lot of request types.

You have to look in the web.xml of your webapp. Google for security-constraints. Newer servlet
api versions are able to set those through annotation also. 

>Because I will have some issues with the administration of my session
>handling, can I also influence the JSESSION generation with such kind
>configuration or is this done by the used browser only? 
>Background for this question: Now I recognize, when I open a new
>instance of
>f.e. an IExplorer with my home url, this new instance use the same
>id, what the parallel running instance is also using. Is it possible to
>configure this in the tomcat instance or couldn't I influence this

That is a feature of ie. It will share is cookies with all windows.

If you don't want to use cookies for the authentication (session), you can use the cookies
attribute on the context of your webapp. See

Alternatively you can use different browsers, different instances of browsers that don't share
their jar of cookies or use different dns names or ip's and this creating different cookie


PS. If you have new questions, you should open new discussions by sending new mails with new

>kind regards
>To unsubscribe, e-mail:
>For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message