tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <>
Subject Re: how to access HTTPServletRequest in RealmBase
Date Sat, 01 Apr 2017 13:59:25 GMT
2017-04-01 15:17 GMT+03:00 André Warnier (tomcat) <>:
> I was also wondering why Konstantin, in his response, mentioned that it was
> "by design" that the Realm has no access to the Request. Was that to avoid
> some kind of problem, or to match the Specs or something ?

Documentation says so. E.g.:
"A Realm is a "database" of usernames and passwords"

One design bit driven by the servlet spec is that an Authenticator
usually is not configured explicitly, but is created automatically,
mapping an <auth-method> onto a class name. See file

The web application decides, what authentication protocol to use.

Realms are configured explicitly, and we have one by default.

In a few cases where I went with Tomcat authentication (instead of
usual Spring Security library)
and had special requirements (checks by IP, preauthentication)  I
implemented a Valve,
not even an Authenticator.
I am not proud of those, but they served a specific purpose. They were
inspired by SingleSignOn valve.

BTW, there are alternative technologies, JASPIC, JAAS, GSS (GSSContext
in SpnegoAuthenticator)

JASPIC has access to request & response..

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message