Given: Commercial application running as a servlet on Tomcat. Tomcat configuration (server.xml, web.xml) is open and may be modified. The app handles its own authentication via a conventional username/password form on a login page. I wanted to add a second factor to the authentication without modifying the app (except for its Tomcat/servlet conf).
My idea was to tack on a custom Realm to Tomcat. It would be independent from the application except I had to add a security constraint to its web.xml. The Realm would authenticate the user using a password provided to the user over a separate channel (SMS). After authentication the Realm would be transparent and let the user interact with the application as usual -- all according to my theory. After some hacking my custom Realm was in place. Following the logic in a debugger I could see it worked as expected and reported successful authentication back to the Tomcat machinery. To my disappointment my browser still showed 403 Forbidden. At this point I was stumped and realized I don't know enough about Tomcat. Is my theory viable or flawed? Overlooked something? What's some better way to add a second factor to authentication of an opaque application running on Tomcat? All kinds of ideas and pointers are appreciated, thanks a lot. -- View this message in context: http://old.nabble.com/Adding-two-factor-authentication-to-a-Tomcat-app---tp32229121p32229121.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
