tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arno Schäfer <>
Subject How to authenticate our webapp against our own relm only
Date Fri, 17 Jul 2015 17:03:58 GMT
Hi all,

I am using Tomcat 7.0.54 with java 1.7 and 1.8 on a Windows 8.1 System, maintaining our webapp
with around 1000 JSP pages and I am NOT a web developer.

I have inherited this application and all of the previous owners are no longer available.
So the last 2months I do a lot of reading and debugging the whole bunch of java and jsp code
and I think, that I have a basic understanding what the software is doing and how it is implemented
at least.
The last days I found a lot of configuration issues and I was able to get the whole stuff
running in a very downsized environment build on a standard tomcat Installation.
I got rid of all special configuration inside the server.xml, so that I was able to fix some
things and do it, like it was described in the beautiful tomcat documentation and available

That's only for some explanations, before the stupid questions may follow:

I have to use basic authentication without an own login form. The behavior I see, is that
if the webapp is starting a realm instance is correctly created and initialized in my webapp,
but if the first request arrive, also the tomcat itself instantiate one object of this class
and took the credentials from the automatically upcoming login form (here IExplorer 11).

My understanding from reading the documentation is, that, if I configure my own realm in my
context.xml (what I have done), that the webapp will use it. That seems to be ok, but why
also tomcat itself instantiate an object of my custom realm and take the first request when
I want to access my webapp. Therefore I have no own control about my JSessions and so my session
management leaks, because I didn't got the info's from the logins, what the tomcat is doing

What is wrong in my configuration or in my understanding? I want be the only one, that got
the requests for the authentication for my webapp.

Here are my server.xml, it only contain one Realm line of our realm in the 'Host' section
(I strip the comments and the header lines, which are unchanged):

                               <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"  factory="org.apache.catalina.users.MemoryUserDatabaseFactory"

                <Service name="Catalina">
                               <Connector acceptCount="100" connectionTimeout="200000"
maxThreads="150" port="9150" protocol="HTTP/1.1" redirectPort="8443"/>
                               <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
                               <Engine defaultHost="localhost" name="Catalina">
                                               [<Realm className="org.apache.catalina.realm.UserDatabaseRealm"/>]

                                               <Host appBase="webapps" autoDeploy="true"
name="localhost" unpackWARs="true" xmlNamespaceAware="false" xmlValidation="false">
                                                               [<Realm className="de.myproject.tomcat.realm.BITRealm"
domainName="dom1" .../>]

The lines in brackets I have switched on and off in several attempts without the wished result.
Without a realm definition in server.xml and only in the context.xml I have had equal results
and one combination I have had one time, was that I have to authenticate twice and the first
time with the data of tomcat-users.xml and the second time with my own one.

Is it possible that there is some more configured in some of the web.xml's or other directories
in WEB-INF, what cause this behavior? I have searched there for some words like security,
realm, userdatabase and so on, but have found nothing.

Hopefully I have explained my problem as good as I know and somebody see my point :)

Thanks in advance, best regards,
mit freundlichen Grüßen


SQS hat bei den AIM Awards 2014 zum zweiten Mal die begehrte
Auszeichnung "International Company of the Year" erhalten. <>

Vorsitzender des Aufsichtsrats: David Bellin
Vorstand: Diederik Vos (CEO) ? Ralph Gillessen (COO) ? René Gawron (CFO)
SQS AG ? Stollwerckstraße 11 ? 51149 Köln
Sitz der Gesellschaft: Köln ? Amtsgericht Köln, HRB 12764

This e-mail may contain confidential and/or privileged information. If you are not the intended
(or have received this e-mail in error) please notify the sender immediately and destroy this
Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message