Version 5

    Externalization of Tomcat Authenticators



    There are numerous occassion when the default authentication provided by the servlet spec (BASIC,FORM, CLIENT-CERT, DIGEST) is insufficient for an enterprise. Typical scenarios include integration with an Identity Management Solution from a third party vendor. It also includes custom processing needs, for example, if the authentication process needs to consider headers etc.



    Starting JBoss 4.0.4GA, this feature is available as evidenced by the JIRA issue:


    (For 4.0.4.GA, please remember to take the patched jar from



    1. In the jboss-service.xml of jbossweb-tomcat55.sar/META-INF, uncomment the attribute "Authenticators".

    2. In the server.xml file of jbossweb-tomcat55.sar, uncomment the host element with the configClass attribute in it.

    <Host name="localhost" autoDeploy="false" deployOnStartup="false" deployXML="false"
    1. There is a configuration in the 4.0 testsuite where this is tested. The configuration is called "tomcat-federation-tests"

    > ant tomcat-federation-tests


    Information on Authenticators

    Test HeaderAuthenticator

    JBoss AS5 and Beyond

    Please look in default configuration section of PicketLinkAuthenticator for guidance.