tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: HTTP 400 with Form based authentication
Date Tue, 01 Sep 2015 16:11:28 GMT
Hash: SHA256


On 8/31/15 3:16 PM, Sreyan Chakravarty wrote:
> Well Christopher thanks for that eye opener. I didn't know that the
> specs were so inconsistent.

They aren't inconsistent... it's just that they don't cover a popular
use case. Remember that container-managed authentication has to cover
 types of authentication other than "FORM".

The client can't, for instance, force HTTP Basic credentials into a
server without knowing what the server's "realm" is for HTTP Basic.
The server won't ask for authentication unless it's necessary, and
authentication isn't necessary unless the user tries to access a
protected resource.

The same is true for SSL client certificates. When you consider all
the types of authentication that the servlet spec covers, it makes
more sense why the authentication is done the way it is. (It doesn't
make it any less irritating, though.)

> Okay now regarding your comment-:
> "Servlet 3.0 added the HttpServletRequest.login() method would
> improved the situation greatly: you can implement your own login
> handler that plugs-into the authentication services of the
> container. It's just that the container doesn't handle any
> redirection to a login page (none is required) or credential
> capturing (easily done with a servlet)."

(Note that the word "would" should have been "which has" above.)

> How do you implement your own login handler and how do you plug
> that into Tomcat Auth services.
> Can you provide some info as to how I would do that ?

You write your own servlet and point your "main" login at it:

<form action="/path/to/my/login/servlet">
  <input type="text" name="username" />
  <input type="password" name="password" />
  <input type="submit" />

public class MyLoginServlet extends HttpServlet {
  public void doPost(HttpServletRequest req, HttpServletResponse rsp) {

It's up to you to decide what else should happen after authentication
succeeds. This hooks-into the container's authentication system by
using whatever Realm has been defined to actually do the
authentication (e.g. DataSourceRealm) and will also use the
CredentialHandlers we've been discussing.

> And what is the extension to FORM Authenticator that Mark is
> talking about ?

Check out the documentation for the FORM Authenticator and you'll see
that you don't actually need to write your own servlet like the above
if all you want to do is allow drive-by logins and always forward to
the same URI:

Unfortunately, that feature is buried in the configuration reference
for the FormAuthenticatorValve and not somewhere more easily
accessible like under "Realms and AAA" for example.

> Also correct me if I am wrong, then the page that I use to login
> and the page that will contain j_security_check as an action must
> be two different pages.

If you use the form/servlet I outlined above, then yes: your "main"
login page should be separate from the one you use for Tomcat's
automated authentication. Of course, you can page a single
parameterized page or a complex series of JSPs that include each other
to avoid duplication, or you can just make two pages.

If you use Mark's technique to configure the FormAuthenticationValve,
then you can use a single form for everything. I would highly
recommend simply using the FormAuthenticationValve configuration
because you have to do a whole lot less work.

> Also can I have two <login-config> elements in my web.xml ?

Nope. How would the container know when to pick one over the other?

- -chris
Comment: GPGTools -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message