tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bárbara Vieira <>
Subject RE: Tomcat's container architecture - Authenticator
Date Wed, 28 Nov 2007 09:58:03 GMT
Hi Carlo!

Thank you for being help me J

My question is about invoke method in If you look at invoke code you
can see that:

-          the method first action is check if there is any Principal in the Request

-          if there isn’t a  Principal it tests if there is a Principal in the internal

-          if there is a Principal(in Session) it puts the Principal and the authentication
method in the Request

-          and the method(invoke) follows, and it tries to authenticate Request 


  HttpRequest hrequest = (HttpRequest) request;

  HttpResponse hresponse = (HttpResponse) response;

// Have we got a cached authenticated Principal to record?

        if (cache) {

            Principal principal =

                ((HttpServletRequest) request.getRequest()).getUserPrincipal();

            if (principal == null) {

                Session session = getSession(hrequest);

                if (session != null) {

                    principal = session.getPrincipal();

                    if (principal != null) {

                        if (log.isDebugEnabled())

                            log.debug("We have cached auth type " +

                                session.getAuthType() +

                                " for principal " +









If we look know to authenticate method in class:

-          the first think it does is check is there is   a Principal in the Request

-          if there is a Principal, it returns true


// Have we already authenticated someone?

        Principal principal = hreq.getUserPrincipal();

        String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);

        if (principal != null) {

            if (log.isDebugEnabled())

                log.debug("Already authenticated '" +

                    principal.getName() + "'");

            // Associate the session with any existing SSO session

            if (ssoId != null)

                associate(ssoId, getSession(request, true));

            return (true);




My question is: why we are putting the Principal in the Request? Why we can’t just authenticate
the user if there is a principal in internal Session?! Doesn’t make sense, put the Principal
in the Request, and after in the authentication method we just test if there is a Principal
in the Request and return true.  

In others words, what kind of security this process provides?!

Was I cleat enough? 


Thanks for everything,

Regards from Braga, Portugal

Bárbara Vieira



From: Carlo Politi [] 
Sent: terça-feira, 27 de Novembro de 2007 23:49
Subject: Re: Tomcat's container architecture - Authenticator


Hi Bárbara, i can help you because I'm doing a new authenticator as work of my thesis. I
have analyzed BasicAuthenticator and modified it; could you tell me the right point of your

----- Messaggio originale -----
Da: Bárbara Vieira <>
Inviato: Mercoledì 28 novembre 2007, 0:23:49
Oggetto: Tomcat's container architecture - Authenticator

Hi there!

This question is about Authenticator package. I appreciate if anyone can
help me. 

I’m implementing a Valve and a Realm to provides authentication and
authorization using two authentications methods at the same time : FORM and
CERT-CLIENT. Obviously, I’m looking to authenticator package code, more
precisely to AuthenticatorBase.class and FormAuthenticator.class, and
analyzing that. In this analyze has emerged some questions about what the
author are doing in invoke method in AuthenticatiorBase class.  In other
words, what I would like to know is, why the author are putting the
Principal on the request, and the next step is authenticate the request?!
I don’t understand the reason why we have to pass the request to
authenticate method in FormAuthenticator class, because that method isn’t
doing anything if the request has a principal. This doesn’t make any sense,
because first we put the principal on the request and next, in the
authenticate method, we just test if the request has a principal. Why we
have to put the principal on the request?! Why we cannot just authenticate
the user if the request has a principal, or if the principal is in internal

I’m a little bit confused about that J

Thanks for everything,

Regards from Braga, Portugal,

Bárbara Vieira




 <*http:/> Yahoo! Messenger
with Voice: chiama da PC a telefono a tariffe esclusive

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message