0

I have a Tomcat 5.5 server that hosts some HTML pages. I want to control the access to these pages. The incoming users' HTTP requests are supposed to have special authentication values.

What I need is to write a function that returns true/false based on the authentication value for each user request. Based on this true/false value, the user should be granted the access or not.

Any idea about how to do that?

Thanks

Ticker23
  • 172
  • 4
  • 19

3 Answers3

1

You have to write your own Authenticator in Tomcat.

Edit:

  1. Subclass the AuthencatorBase class and implement the the abstract method authenticate
  2. Place your jar in the lib folder of tomcat, not your webapp
  3. specify in your web.xml which resources your want to protect.
  4. Declare your authenticator in your context.xml => this technically a Valve
  5. deploy your application and be happy!
Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • I couldn't find a proper usage example. can you provide me with one please? – Ticker23 Jul 26 '11 at 14:02
  • Take the `BasicAuthenticator` in the same directory. – Michael-O Jul 26 '11 at 14:07
  • Please elaborate more.. I found many links to the source code of BasicAuthenticator.java, but I didn't find any example of how to use it. I want to overrid the authenticate function and write my own authentication logic.. but how do I specify the URL path this authentication applies for? where would the derived class fit into my project? – Ticker23 Jul 26 '11 at 15:01
1

A pragmatic solution would be to create a ServletFilter and map it to all resources (/*). Reading your question, I guess your authentication method will not be based on sessions (JSESSIONID cookie), but on tokens part of the URL itself.

home
  • 12,468
  • 5
  • 46
  • 54
  • Actually I'm not using JSESSIONID cookie itself, but I'm using another cookie inside of the HTTP header (Let's call it MYSESSIONID). Using the value of this session I will be able to authenticate the user and decide whether to grant him access or not. If my pages were JSP instead of HTML, I would have been able to programatically do that from the JSP page itself. But since I'm using HTML pages, I won't be able to do that.. that's why I need a server method (like a Tomcat solution). – Ticker23 Jul 26 '11 at 14:05
  • From what I'm seeing in ServletFilter link you're providing, this also can only be applied to server side scripting.. is that right, or can I use it for HTML pages also? – Ticker23 Jul 26 '11 at 14:06
  • I found this link: http://www.lumdev.net/node/2554 It does exactly what I wanted to do – Ticker23 Jul 27 '11 at 14:18
0

With Tomcat, you'll need to use a Realm to protect your pages.

http://tomcat.apache.org/tomcat-4.1-doc/realm-howto.html

element119
  • 7,475
  • 8
  • 51
  • 74
  • From what I read, Realm operates based on database tables representing users' and roles. In my case, I have a different mechanism to authenticate/authorize address. – Ticker23 Jul 26 '11 at 13:58