5 Replies Latest reply on Sep 7, 2012 11:10 AM by greco

    Trying to get a custom Authentication valve working in EAP6/AS7

    Ian Hands Newbie

      I have the following class in a jar (for simplicity), and the jar is in my web archives WEB-INF/lib directory:


      package com.foo.catalina;
      import java.io.IOException;
      import org.apache.catalina.authenticator.FormAuthenticator;
      import org.apache.catalina.connector.Request;
      import org.apache.catalina.connector.Response;
      import org.apache.catalina.deploy.LoginConfig;
      public class TestAuthenticator extends FormAuthenticator {
                public boolean authenticate(final Request arg0, final Response arg1, final LoginConfig arg2) throws IOException {
                          return true;


      In my web archive's jboss-web.xml file I have:


      <?xml version="1.0" encoding="UTF-8"?>




      It seems that my TestAuthenticator is not being called, when a security constraint is hit. Here are the releavent logs:

      15:53:07,470 INFO  [org.apache.tomcat.util.http.Cookies] (http-localhost/ Cookies: Invalid cookie. Value not a token or quoted value
      15:53:07,492 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/ Security checking request GET /restrict
      15:53:07,493 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/  Calling hasUserDataPermission()
      15:53:07,493 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/  Calling authenticate()
      15:53:07,499 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] (http-localhost/ Save request in session 'm8hJWMy2KsQSpNQiebFFoLyh'
      15:53:11,146 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http-localhost/  Failed authenticate() test
      15:53:11,149 TRACE [org.jboss.security.SecurityRolesAssociation] (http-localhost/ Setting threadlocal:null


      Notice the authenticate() test apparently fails, and the org.apache.catalina.authenticator.FormAuthenticator logs a message... but my authenticate() method always returns true, and does not call the super (thus org.apache.catalina.authenticator.FormAuthenticator should not be running, right?).


      What I find interesting though is my valve is recognized by the server though. If purposfully remove the jar that contains com.foo.TestAuthenticator, then the server fails to deploy the web app (stating that it could not find the valve class).


      Also, I noticed that regardless of the login-config's auth-method configuration the auth-method seems to be dictated by the base class of TestAuthenticator.


      For example:

      If I have "<auth-method>FORM</auth-method>", and "TestAuthenticator extends FormAuthenticator" then my app does not prompt for a password via the browsers basic auth pop up (expected).


      However, if I have "<auth-method>FORM</auth-method>", and "TestAuthenticator extends BasicAuthenticator" then my app does prompt for a password via the browsers basic auth pop up (unexpected).


      Am I doing something silly here?


      FWIW, in the end I am trying to use port over an EAP4.3 impl. The 4.3 valve pulls a cookie from the request, and uses the value to auth a user. TestAuthenticator is just me trying to keep things simple (the real impl had the same issue).