Win a copy of Python Continuous Integration and Delivery this week in the Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Paul Clapham
  • Jeanne Boyarsky
  • Devaka Cooray
  • Junilu Lacar
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Tim Holloway
  • Claude Moore
  • Stephan van Hulst
  • Winston Gutkowski
  • Carey Brown
  • Frits Walraven

Creating 2nd Login-Page with Tomcat Standard Security Mech. activated  RSS feed

Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Dear all,

I'd like to create a web app with 2 different possibilities for user to login

The first one is using the standard tomcat security mechanism, i.e by defining realm with the user and user role tables:

USER: user - password
USER_ROLE: user - userrole

so that the 1st login page will look approx. as follows:

<form action="<%= response.encodeURL("j_security_check") %>" method="post" id="loginForm" name="loginForm">
<table cellpadding="0" cellspacing="0" border="0">
<td height="45px" colspan="2" style="padding:0;"> </td>
<tr style="height:24px;">
<td style="padding:0 0 0 5px;">
<label for="j_username">Username</label>
<td style="padding:0;">
<input type="text" value="Username" id="j_username" name="j_username" />
<tr style="height:24px;">
<td style="padding:0 0 0 5px;">
<label for="j_password">Password</label>
<td style="padding:0;">
<input type="password" value="*****" id="j_password" name="j_password" /></td>

Now I'd like to create a 2nd login-page, which protects exactly the same sites, but the fields should be diffenet, i.e. instead of using username and password, the user should be able to login using his lastname, birthday, mail address and password

The table which contains those information has also the column containing the username, e.g

USER_INFO: username - lastname - birthday - email

My questions are:
- is it still possible to implement this kind of 2nd login page while the standard tomcat mechanism is activated (any round-way or forwarding possible?)
-if yes, could you please provide a simple example for this?

Many thanks in advance!


Saloon Keeper
Posts: 20505
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Tomcat's standard (container-managed) security is defined by the J2EE standard. Unfortunately, that standard is not very flexible. It diverts URL requests to a standard channel which implements both the controller and model for the login process. The login model contains only a userID and password which are passed to the internal authentication mechanism - which in Tomcat is called a Realm.

For this reason, the straight container-managed security mechanism isn't well-suited for systems where the method of signon varies from straight userid/password. On the other hand, the reason that userID/password is so popular is that users have shown a remarkable ability to get confused by anything more complicated. Plus, when you're designing portals and other complex single-signon systems, it keeps everything to a common denominator.

For an alternative signon system, you have 2 choices. You can either forgo standard security or you can augment it.

If you forgo standard security, you lose a lot of benefits. Including the fact that you'll have to write and debug all your own security code.

Augmenting standard security is not trivial, however, since you're going to have to plug into places where normally things are done for you. You can, for example, implement the alternative credentials as a form, but you can't just submit the form, since the container will recurse you right back into the signon framework. You'll probably have to create a custom Tomcat Realm. That isn't hard, but it does require a little expertise, since you're effectively modifying Tomcat itself.

Custom Tomcat Realms aren't adaptable to other containers, so if you want to port to WebLogic, you'll have to recreate the functions as a WebLogic Realm. And at the end of the process, you're going to have to convert the custom credentials to standard ones, since the container-based security is dependent on having the framework construct a Principal containing the userId which can be used to determine the user's container Roles.
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!