Hello, I am attempting to migrate our web app from Resin 3.1 to Tomcat 8.5.4. Ultimately, the intent is to be able to run our web app within Tomcat 8.5 on MAC OS X (in dev mode) or on a CentOS 7 box for production. With Resin 3.1, you can use a subclass of the Resin AbstractAuthenticator class to do custom authentication. The AbstractAuthenticator instance is presented with the login credentials of the end user attempting to login, as well as the HttpServletRequest instance itself so that any and all HTTP request state such as parameters can also be interrogated if necessary. This is the case for our application, we need to be able to interrogate those additional HTTP request parameters in some cases. So, I am trying to implement this same behavior in Tomcat 8.5.4.
In my research today on the topic, this appears to be much more difficult than I would expect in Tomcat 8.5, so I can only conclude I am missing something. Here are the two potential solutions I have found : 1) Provide our own implementation of the org.apache.catalina.Realm interface. While this would seem like "this must be the right approach" at first, I don't see where the Realm implementor has access to the HttpServletRequest instance when an inbound authentication attempt is occurring. True, there are overloaded authenticate() operations that must be implemented, but I don't see where any of them can obtain a reference to the inbound HttpServletRequest instance. I thought maybe the Container instance available to the Realm might contain it, but it looks to contain information that doesn't vary per HTTP request. 2) Introduce a ServletFilter, and of course this should work since the ServletFilter has full access to the inbound HttpServletRequest. However, this doesn't seem as appropriate as that Servlet filter then needs to do other things (e.g. Create a Subject and bind it to the Session, what to do with Principal instance, etc.) than just the raw authentication step and I don't find supporting information on how that should be implemented. Am hoping someone on the list has faced this problem in a recent version of Tomcat and can point me in the right direction. Thank you, Doug
