I am in the process of setting up a web service between an android app and
Tomcat 6.0.26 implemented with Jersey. I already have client and server
communicating with each other by sending XML requests. But I would like the
user of the client to be authenticated by the server for a set period of
time and then have to re-authenticate after that time has expired.
Can anyone suggest anything?
Martin O'Shea.
Martin O'Shea 's gravatar image asked Jul 18 2013 at 02:34 in Tomcat-Users by Martin O'Shea

16 Answers

It may be better to ask this on the Jersey user's list.
I would imagine that Jersey provides a way to force the client to be authenticated. This
would work via a session, and there is probably a way to set the session timeout.
After the last interaction + the timeout, the session will expire, and this should
automatically force the client to re-authenticate at the next access.
=?ISO-8859-1?Q?Andr=E9_Warnier?= 's gravatar image answered Jul 18 2013 at 06:15 by André Warnier
Thanks Andre. I have already done so. I thought to ask it on both just in
Martin O'Shea 's gravatar image answered Jul 18 2013 at 06:25 by Martin O'Shea
Hash: SHA256
If you are using Servlet 3.0, you can use HttpServletRequest.login to
authenticate the user using a realm configured for the context. If you
use FORM authentication, then the session's expiration time becomes
the duration of the login (a caveat being that the timeout is reset
for every request the client makes).
If you want fixed-login times (like 30-minutes max regardless of how
many requests are made), then stuff your own expiration date into the
user's session and then check that timeout with each request. This
could all be done in a Filter to keep things orthogonal to your
servlet code.
Or were you looking for something more elaborate?
- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
Christopher Schultz 's gravatar image answered Jul 18 2013 at 07:05 by Christopher Schultz
It's a case of considering options at the moment. It doesn't matter too much about the actual expiration time of the session. But a question arises concerning use of a realm: if I have the following code in a realm in context.xml for existing browser-based logging in:
className = "org.apache.catalina.realm.DataSourceRealm"
debug = "99"
dataSourceName = "jdbc/MyApp"
localDataSource = "true"
userTable = "User"
userNameCol = "UserName"
userCredCol = "Password"
userRoleTable = "User"
roleNameCol = "RoleName" />
Could it be used also for the REST service? And would a servlet be required to handle authentication?
Martin O'Shea.
Martin O'Shea 's gravatar image answered Jul 18 2013 at 07:32 by Martin O'Shea
Hash: SHA256
FWIW, MD5 is basically deprecated at this point. I would use at least
SHA-256 for password-hashing. Honestly, I'd use a password-mangling
algorithm and not a straight-up hash (like bcrypt, scrypt, PBKDF2, etc.).
(I've been toying-around with modifications to Tomcat's Realms and
underlying code to help support such things, but I haven't come up
with a good patch, yet).
This should be removed: it must have come from an old configuration.
You can use it for anything you'd like.
No, you can use a Filter. I'm not sure how Jersey is implemented, but
I suspect that you configured either a Servlet or a Filter at some
point in WEB-INF/web.xml. Just make sure that your own Filter performs
whatever is necessary to authenticate (e.g. calling
HttpServletRequest.login) and then sets-up the request so that Jersey
knows that the user has been successfully authenticated (it probably
just checks ServletRequest.getPrincipal, which will be set up
correctly after a successful call to HttpServletRequest.login).
- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
Christopher Schultz 's gravatar image answered Jul 18 2013 at 07:39 by Christopher Schultz
Well, apart from the layers of obfuscation added by Jersey, fundamentally the "REST
service" is still a webapp, composed of servlets.
So it is more a case of "does Jersey provide an authentication servlet (or filter) ? and
what can it do ?". No ?
Or does Jersey rely on container-based authentication ?
=?ISO-8859-1?Q?Andr=E9_Warnier?= 's gravatar image answered Jul 18 2013 at 07:42 by André Warnier
OK. So let me see if I understand what you’re suggesting: I already have client and server communicating with each other by sending XML requests via Jersey with a servlet implemented in web.xml.
So in addition to this, I would need a filter set to intercept request with a url pattern /rest/*. This filter can then call HttpServletRequest.login?
Martin O'Shea 's gravatar image answered Jul 18 2013 at 10:08 by Martin O'Shea
Hash: SHA256
Yes, this is exactly what I'm suggesting. I'm sure there are other ways
to do it. I'm assuming that Jersey is using ServletRequest.getPrincipal
to get authentication information from the caller (which is a reasonable
assumption IMO). If it's being done in some other way, then this
technique may not work.
- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
Christopher Schultz 's gravatar image answered Jul 18 2013 at 10:51 by Christopher Schultz
I'm checking this with Jersey.
Martin O'Shea.
Martin O'Shea 's gravatar image answered Jul 18 2013 at 10:54 by Martin O'Shea
Are there any suggestions if I'm not using servlet 3?
Martin O'Shea 's gravatar image answered Jul 27 2013 at 09:00 by Martin O'Shea
Hash: SHA256
Any reason the container-provided authentication system (e.g. HTTP
BASIC) isn't acceptable?
- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
Christopher Schultz 's gravatar image answered Jul 28 2013 at 07:36 by Christopher Schultz
Have you an example at all?
At the moment, I've simply rigged a simple authentication method of my own . Have you a code example of container-provided authentication system, or could you refer me to one?
Martin O'Shea.
Martin O'Shea 's gravatar image answered Jul 28 2013 at 07:40 by Martin O'Shea
Hash: SHA256
Container-provided authentication can be done without writing any code
at all:
- -chris
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
Christopher Schultz 's gravatar image answered Jul 29 2013 at 09:21 by Christopher Schultz
Sorry Chris, I'm not sure what I'm looking for here. Can you elaborate?
Martin O'Shea 's gravatar image answered Jul 29 2013 at 09:30 by Martin O'Shea
Don't top-post; it makes the conversation impossible to follow.
Step 1: read the security section of the Servlet spec.
Step 2: read the Tomcat doc Chris pointed out to you.
Step 3: look at the WEB-INF/web.xml settings in the relevant examples that come with Tomcat, including the manager and host-manager webapps.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Caldarale, Charles R 's gravatar image answered Jul 29 2013 at 10:51 by Caldarale, Charles R
Hash: SHA256
Just read the whole page:
If you don't understand, come back and ask more specific questions.
- -chris
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
Christopher Schultz 's gravatar image answered Jul 30 2013 at 07:36 by Christopher Schultz

Related Discussions

  • Quesion On Starting Tomcat (as A Windows Service) From Ant in Tomcat-users

  • I'm running tomcat locally on WinXP as a service. Now I'm starting to do webapp development. By experiment I've found the way to re-deploy a webapp when running Tomcat as a service is: Stop Tomcat service (with Procrun) Remove the subdirectory of the webapp to be updated from .../Tomcat 5.5/webapps subdirectory Drop the war into .../Tomcat 5.5/webapps subdirectory Start Tomcat (with Procrun) ...

  • FW: Quesion On Starting Tomcat (as A Windows Service) From Ant in Tomcat-users

  • Obviously you should try to figure out who is using that file. But if you want to do it like old days.. Do this in your ANT If is linux you will do a service start tomcatd or service stop tomcatd regards...

  • Start Tomcat From A Java Client in Tomcat-users

  • Hi I would like to start Tomcat with axis2 from a java client. The use case is that there is a web service on a server. The clients can login on the server with the web service and the server. If all clients are ready the should work together without the service using webservices. So every client should provide a web service so the other clients can contact him. So it is necessary for every client...

  • Getting A Heap Dump On OOME From Tomcat-as-a-service On Windows? in Tomcat-users

  • I have Tomcat 6 running as a service on Windows 2003. I go to the Tomcat service monitor, choose configure, choose the Java tab, and add: -XX:+HeapDumpOnOutOfMemoryError ...as one of the Java options. When the OutOfMemoryError that I'm concerned about hits, I look around on the disk to find an .hprof file. I searched the entire computer; no such file is found. Any pointers? Thanks, Laird...

  • Printing Using System Commands From Tomcat As A Service in Tomcat-users

  • Using Ruby on Rails on Tomcat, I want to sent a file to a printer, which should be easy via a system command. It works if I run Tomcat from the command line, but not if Tomcat is running as a service. Some details... I am using Tomcat 6 on Windows Server 2003, Rail 2.3.9, JRuby 1.5.2 (I appreciate most people around here will not be familar with Ruby on Rails, but I think this is a Tomcat problem, ...

  • Tomcat As A Service in Tomcat-users

  • Hi, I am having a problem with starting Tomcat as a service. Here are some of the details of the environment: Tomcat 5 OS: MS Windows Server 2003 SP 1 Ram: 960 JDK: jdk1.5.0_07 If i start it manually with the starttom.bat it works. If I go and try service install and then go to Administrative Tools and services and try to start the servic it will not work. ...

  • Calling JNI/COM From Tomcat When Running As A Windows Service in Tomcat-users

  • We have built a Crystal Reports extension to our servlet application that is called via JAWIN/COM/.NET - I know, it sounds horrible doesn't it, but if you've ever worked with the c**p that is Crystal Reports for Eclipse, you'll understand why we have to do it this way. The JNI library (JAWIN) is loaded with loadlibrary, this communicates to a COM object written in C# that communicates with CR via ...

  • Still Unable To Get A Heap Dump From Tomcat Running On Windows As A in Tomcat-users

  • I am still unable to get Tomcat to dump heap when it encounters an OutOfMemoryError. My StackOverflow topic sums up what I've tried so far: http://stackoverflow.com/questions/2172220/can-i-get-tomcat-running-as-a-service-to-dump-heap I'm using the graphical program that comes up when you select "Monitor Tomcat" from the Windows Start Menu. I assume this is TomcatW.exe? I have Tomcat 6.0.20 running...

  • Installing Tomcat As A Service in Tomcat-users

  • Hi there, I'm trying to install tomcat 5.5.16 as a service on my Windows XP machine using the service.bat script. I tried following the instructions given at http://tomcat.apache.org/tomcat-5.5-doc/windows-service-howto.html to specify the user account (the --User parameter, in conjunction with the as a service, I'm unable to get it to start as the specified user; it always starts as "SYSTEM" user...

  • Tomcat As A Service Question in Tomcat-users

  • I am attempting to create a windows service using apache commons-daemon to create a service from a Java program I have written (a server). I know that tomcat uses this lib and successfully, but I am having a number of problem completing the task. I have posted on commons-daemon but no response, I believe that project is dead or not supported well. I am asking for some help here or to be pointed...

  • Realm And Authentication With Tomcat 5.0, Apache 2 And Mod_jk 1.2 in Tomcat-users

  • Hi, We have a web application deployed under Tomcat 5.0 which uses a custom Realm for authentication. This custom Realm basically does a web service call using the user's credentials to authenticate with the web service server (basic WS-I username/password authentication). If the web service call fails (user not allowed to call the web service with his credentials), then Tomcat authentication ...

  • Tomcat - Axis Webservices With Client Certificate Authentication in Tomcat-users

  • Anyone who has developed a secuired web service using a client certificate over HTTPS? Appreaciate any development guidelines Thx KHL Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com...

  • Tomcat 7 Manager App Authentication Failure in Tomcat-users

  • Hello. I am having problems trying to authenticate my tomcat 7 manager app. I keep getting a 401 Unauthorized page. My config is as follows: tomcat-users.xml (Located in /etc/tomcat5) [code] [/code] server.xml (Located in /etc/tomcat5) [code] [/code] I restart the tomcat service ( #service tomcat restart ) , but still cannot authenticate. Your help would be greatly appreciated...

  • Reading Environment Variable From Tomcat in Tomcat-users

  • Hi, I have run into an issue related to starting tomcat as a service. When we were starting tomcat from the command line, we were able to just say System.getProperty("user.name" ) to retrieve the logged in user id. But now that we start tomcat using a service, the get property call returns "SYSTEM". After doing some more research, it seems like I have two options to find out the login id. ...

  • IIS 6, Tomcat 5.5, Jk-1.2.14 And JCifs-1.2.6 Authentication in Tomcat-users

  • Hi, we are having IIS-Tomcat website in domain A and service S. Users are authenticated using IIS Windows-authentication. Everything is ok. Users in domain B, outside our domain, need to use service S. IIS authentication won't work because there is no trust between A and B. jCifs can authenticate to domain B but because of IIS-JK it doesn't work. IIS can not be removed. Is it possible use IIS-JK-jCifs...

  • Windows Authentication On Tomcat 7.0.37 And JRE 7u13 / 64-bit in Tomcat-users

  • Trying to get Windows Authentication operational using the Tomcat Built-in method. Implemented the following but not observed any Windows / Kerberos authentication occuring: - Domain joined windows member server - Domain service account - Delegated SPN for HTTP protocol on the member server to the service account - Generated keytab file for the service account and saved...

  • Tomcat As A Service in Tomcat-users

  • I have a few questions about tomcat as an NT service. 1) I found this page, http://tomcat.apache.org/tomcat-5.5-doc/windows-service-howto.html. It talks about how to set all the settings, but is there a way to view the settings? 2) When JVM is set to auto what does it use? JAVA_HOME? 3) How can I tell what JVM the service is using?...

  • Tomcat As A Windows Service in Tomcat-users

  • We are upgrading from 5.0 to 5.5. Previously I was using windows env variables to set the java home and catalina home paths. In version 5.5 do I still need to use env variables or can I use the Tomcat service configuration "Java" options? Thanks Will Holmes Programmer Analyst Fremont Insurance Company Ph: 231-924-0302 Ext. 145 E-Mail: [email protected]..

  • Tomcat Startup : Tomcat As A Service in Tomcat-users

  • I installed Tomcat 6.1 on my machine. During the installation, I was not asked to choose whether or not I want it installed as a "Service" or whatever. I want to configure Tomcat to start automatically whenever Windows starts. To do this, naturally, Tomcat needs to be installed as a Service. Is there any way to "convert" an already-existing Tomcat application into a "Service"? Or, do I need to ...

  • Java Class As A Tomcat Service in Tomcat-users

  • I have a java service which implements Start() Run() Stop() methods that I want started everytime Tomcat starts. This class is part of a Tomcat Webapp. Seems simple but how do I accomplish this? I am using 5.5.17 jdk 1.5.06 KR View this message in context: http://www.nabble.com/Java-class-as-a-Tomcat-Service-t1623481.html#a4398844 Sent from the Tomcat - User forum at Nabble.com....