tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Johannes Michler <>
Subject Re: Fwd: No longer able to use my own org.apache.catalina.authenticator.BasicAuthenticator in Tomcat 8.5.5
Date Mon, 03 Oct 2016 13:20:55 GMT
Hi Mark,

Thanks a lot for pointing out. Indeed I relied to much that I did not get
any faults and didn't check that part. I'll try with the renamed method
tomorrow, but I'm quite sure that will solve the issue.

Regarding returning http 403 you suggest to do that in our custom
basicauthenticator as well, correct? But this would still require us to
install a tomcat version specific library globally, wouldn't it?


Am 03.10.2016 15:01 schrieb "Mark Thomas" <>:

On 01/10/2016 18:50, Johannes Michler wrote:
> Hi,
> for our own web-application we overwrite the standard way of how Tomcat
> BasicAuthenticator is working in order to avoid the popup of a
> "Basic-Auth-Dialog" in some situations (where we're calling a service
> provided by the tomcat over a script). Therefore our context.xml in the
> app looks as follows:
> <Context cookies="false">
> <Valve
> className="biz.horus.database.server.servletscript.
> />
> </Context>
> HorusTomcatBasicAuthenticator is implemented as follows:
> public class HorusTomcatBasicAuthenticator extends BasicAuthenticator
> implements Authenticator {
>     @Override
>     public boolean authenticate( Request request, HttpServletResponse
> response) throws IOException {
>         System.out.println( "XXXX start out");
>         boolean result = super.authenticate( request, response);
>         System.out.println( "XXXX authenticate: " + result);
>         modifyResponse( request, response);
>         return result;
>     }
>     private void modifyResponse( Request request, HttpServletResponse
> response) {
>         String url = request.getPathInfo();
>         System.out.println( "XX URL=" + url);
>         System.out.println( "XX Auth Header:" + response.getHeader(
>         if ( response.getHeader( AUTH_HEADER_NAME) != null &&
> url.startsWith( "/rest"))
>             response.setHeader( AUTH_HEADER_NAME, "HCP_BASIC");
>     }
> }
> This is working great with Tomcat 8.0(.37). Though with Tomcat 8.5.5
> that code in "authenticate" is no longer called. Instead it seams that
> the "standard" BasicAuthenticator is being used.
> However if I entirely remove my jar-file that contains
> HorusTomcatBasicAuthenticator.jar from the tomcat/lib-folder I'm getting
> an error.
> Any ideas on that? I've looked into the tomcat 8.5 migration guide but
> could not find any hints on changed behaviour.

Whilst the Tomcat 8.5 internal API is broadly compatible with Tomcat 8.0
there have been many changes at the detail level and they are not binary
compatible. Developers of custom components that interact with Tomcat's
internals should review the JavaDoc for the relevant API.



Of particular note will be changes related to authenticate() and

> Also when comparing the
> Valve-Documentation of Tomcat 8.5 and 8.0 I do not see a difference.
> Or would it be better to address this with
> <> since it might as well be a bug?

No. The users list is the right place for this.

> Or is there a more elegant way to solve this problem to not reply with
> "WWW-Authenticate: Basic" if authentication is not succesful?

Maybe just change the status code to 403?


To unsubscribe, e-mail:
For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message