I want to create my custom authenticator with Tomcat 8. However, as it already offers authentication, I just want to circumvent Tomcat when it verifies if the username/password pair is correct. I still want to use the BASIC authentication offered by Tomcat 8; I only want to modify the verification process of the authentication. I'm thinking about extending the BasicAuthenticator class. Is it the best practice? Or does anybody have a better idea?
J2EE defines a very secure login process. In fact, as far as I know, it has never been subverted. On the other hand, I've spent a LONG time working with Tomcat, including some military and banking systems, and the one thing I've seen is that over 90% of them could be subverted by non-technical people in 15 minutes or less. So it makes sense to use Tomcat's implementation of the J2EE standard. Plus, you also get access to J2EE user identity and authorization API functions.
Basic authentication isn't considered as secure as form-based authentication, but the Tomcat security system doesn't care which one you choose - it's separate from the authenticator, which is implemented in a Tomcat plugin known as a Realm. The Realm API is very simple. It's 2 most essential methods are the authenticate method, which accepts 2 arguments (the userid and password from the login dialog or form) and returns a true/false response (or throws an Exception). In that way, password data doesn't leak into Tomcat or the webapps and thus would-be exploiters don't get handed free assistance. The other essential method creates an instance of a UserPrincipal object, which the Realm, Tomcat server and even (if you're careful) the application program can be used for realm-specific storage for that user.
Because the authenticate method is a simple yes/no interface, the Realm can be constructed to use a variety of backing services. There are Realm modules for XML files, JDBC databases, LDAP/Active Directory, Kerberos and more. And if you don't like the standard ones and need to, for example, authenticate against a custom web service, you can easily create your own Realm.
Unless you have some sort of really special need, I'd recommend using or creating a Realm over replacing the BasicAuthenticator class.
Some people, when well-known sources tell them that fire will burn them, don't put their hands in the fire.
Some people, being skeptical, will put their hands in the fire, get burned, and learn not to put their hands in the fire.
And some people, believing that they know better than well-known sources, will claim it's a lie, put their hands in the fire, and continue to scream it's a lie even as their hands burn down to charred stumps.
Did you ever grow anything in the garden of your mind? - Fred Rogers. Tiny ad: