Hi, I was able to implement the form based tomcat security on my web app. It was good. But because of some restriction from client i need to modify it.
The password is placed as in encryppted form in DB, so i can not rely on tomcat "authenticate" method which simple "select" the username/password from DB and match it. I have seen the implementation of ( org.apache.catalina.realm.JDBCRealm). Now, what i did, i wrote a CustomRealm package org.my.security; import java.security.Principal; import java.util.List; import java.util.ArrayList; import org.apache.catalina.realm.GenericPrincipal; import org.apache.catalina.realm.RealmBase; public class CustomRealm extends RealmBase{ @Override protected String getName() { return this.getClass().getSimpleName(); } @Override protected String getPassword(final String username) { return retrieveEncryptedPassAndDecrypt(username); } @Override protected Principal getPrincipal(final String username) { final List<String> roles = new ArrayList<String>(); roles.add("tomcat"); return new GenericPrincipal(this, username, getPassword(username), roles); } @Override public Principal authenticate(String username, String credentials) { String serverCredentials = getPassword(username); //credential encrypt boolean validated; if (serverCredentials == null) validated = false; else if (hasMessageDigest()) validated = serverCredentials.equalsIgnoreCase (digest(credentials)); else validated = serverCredentials.equals(credentials); if (!validated) { return null; } return getPrincipal(username); } public String retrieveEncryptedPassAndDecrypt(String username){ ... } } I put that file in server/lib and changed the server.xml with this entry <Realm className="org.my.security.CustomRealm" debug="0" /> It works fine. but now, when i am deploying it to application, i am wandering how would i communicate with Database, since my DB layer is combination of Spring, Hibernate and all daos, beans of application will not be available here in my this class, since it's in server side - application independent. If i put this class in application WAR file and change the server.xml file to point that class, my server give exception at startup "class not found" which is quite logical. Now, actually what i want - is to use the Tomcat Security to match user/password (password is encrypted form in DB - encryption done by my application before saving). If i use my Custom Realm, then how can i access my DB Connection classes populated by Spring/Hibernate? cheers, ..alee -- Muhammad Ali http://techboard.wordpress.com Software Engineer - E2ESP muhammadaliamin(at)gmail(dot)com