You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Twylite <tw...@crypt.co.za> on 2001/06/01 11:26:10 UTC

Per-context authentication database

Hi,

It is possible to have a per-context authentication database, especially one that does not have to be configured 
using server.xml ?

This is the sort of scenario I am looking at:  A WAR file is added to the webapps directory, and on restarting 
Tocmat will be deployed.  It contains all of the information necessary for it to function, including its own 
password database (and maybe even the database drivers).  There is no need to modify the server.xml in any 
way.  

The very important catch here is that I want to use Tomcat's support for form logon - that is, the form-logon-
page and logon-error-page in the web.xml, and all that jazz.  I do not intend writing my own logic to handle the 
authentication!

Can this be done?

If it can't, would it be possible to do it by making a new RequestInterceptor?

Twylite

Re: Per-context authentication database

Posted by Antony Bowesman <ad...@teamware.com>.

Hi,

My comments relate to tomcat 3, not 4 but the same principles apply.

Twylite wrote:
> 
> Hi,
> 
> It is possible to have a per-context authentication database,
> especially one that does not have to be configured using server.xml ?
> 
> This is the sort of scenario I am looking at:  A WAR file is added
> to the webapps directory, and on restarting Tocmat will be deployed.
> It contains all of the information necessary for it to function, 
> including its own password database (and maybe even the database 
> drivers).  There is no need to modify the server.xml in any way.
> 
> 
> Can this be done?

I have written a JAAS Realm which is configured in the usual way in
server.xml.  e.g.

        <RequestInterceptor 
            className="com.teamware.phoenix.security.JAASRealm" 
                JAASConfigEntry="other"
                debug="99" />

The server.xml attributes specify defaults for all contexts.  However,
specific attributes can be configured in web.xml for each web app, such
as

  <context-param>
    <param-name>JAASConfigEntry</param-name>
    <param-value>test</param-value>
  </context-param>

to override the default.  In the realm implementation authenticate() I
just do stuff like

    Context ctx = req.getContext();
    String jaasConfigEntry = ctx.getInitParameter(jaasConfigKey);

which allows context specific authentication.  I guess it's easy enough
to modify the JDBC realm so that you can use different databases per
context using this mechanism or write your own realm.

> The very important catch here is that I want to use Tomcat's support
> for form logon - that is, the form-logon-page and logon-error-page
> in the web.xml, and all that jazz.  I do not intend writing my own
> logic to handle the authentication!

I'm not sure what you mean by not wanting to write your own logic to
handle the authentication.  JDBC realm simply does string comparison
between two passwords.  Authentication in the JAAS Realm is handled by
the JAAS Login module.  The form login support is not really relevant, I
think all the realm implementations I've seen support both form/basic
auth.

Rgds
-- 
Antony Bowesman
Teamware Group 
adb@teamware.com
tel: +358 9 5128 2562
fax: +358 9 5128 2705