• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
  • Mikalai Zaikin

Custom Authentication Tomcat 8

Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I want to create my custom authenticator with Tomcat 8. However, as it already offers authentication, I just want to circumvent Tomcat when it verifies if the username/password pair is correct. I still want to use the BASIC authentication offered by Tomcat 8; I only want to modify the verification process of the authentication. I'm thinking about extending the BasicAuthenticator class. Is it the best practice? Or does anybody have a better idea?


Saloon Keeper
Posts: 27884
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Welcome to the Ranch, Bastien!

I don't really understand that.

J2EE defines a very secure login process. In fact, as far as I know, it has never been subverted. On the other hand, I've spent a LONG time working with Tomcat, including some military and banking systems, and the one thing I've seen is that over 90% of them could be subverted by non-technical people in 15 minutes or less. So it makes sense to use Tomcat's implementation of the J2EE standard. Plus, you also get access to J2EE user identity and authorization API functions.

Basic authentication isn't considered as secure as form-based authentication, but the Tomcat security system doesn't care which one you choose - it's separate from the authenticator, which is implemented in a Tomcat plugin known as a Realm. The Realm API is very simple. It's 2 most essential methods are the authenticate method, which accepts 2 arguments (the userid and password from the login dialog or form) and returns a true/false response (or throws an Exception). In that way, password data doesn't leak into Tomcat or the webapps and thus would-be exploiters don't get handed free assistance. The other essential method creates an instance of a UserPrincipal object, which the Realm, Tomcat server and even (if you're careful) the application program can be used for realm-specific storage for that user.

Because the authenticate method is a simple yes/no interface, the Realm can be constructed to use a variety of backing services. There are Realm modules for XML files, JDBC databases, LDAP/Active Directory, Kerberos and more. And if you don't like the standard ones and need to, for example, authenticate against a custom web service, you can easily create your own Realm.

Unless you have some sort of really special need, I'd recommend using or creating a Realm over replacing the BasicAuthenticator class.
Don't get me started about those stupid light bulbs.
    Bookmark Topic Watch Topic
  • New Topic