Tomcat: Custom form authenicator in a web applicat

2020-04-18 08:48发布

问题:

Our web application requires custom form authentication with specific logic inside. The current form authenticator implementation requires the authenticator module, let's call it custom.auth.jar, to be present in %CATALINA_HOME%/lib before the web application starts. The web application uses that custom authenticator module using the following context.xml directive:

<Valve className="foo.bar.CustomAuth" characterEncoding="UTF-8"/>

As far as I understand Tomcat requirements, this module, custom.auth.jar, must be present in Tomcat's lib directory before the web application starts, because the web application does not seem to require the authenticator code packaged with the web archive -- it always tries to find it in %CATALINA_HOMA%/lib. Otherwise the web application simply cannot start:

SEVERE: Parse error in context.xml for /webapp
java.lang.ClassNotFoundException: foo.bar.CustomAuth

Due to the specifics of the authentication business logic and some protection, we were forced to introduce some kind of versioning of the authentication module, and check its version in the web application application listener -- if the web application finds an incompatible version of authentication module (not checking the JAR-file provided in the Tomcat's library directory -- we use reflection instead) -- it simply refuses to start reporting the compatibility error between the web application being tried to start and the authentication module. Again, an existing authenticator module must be specified in context.xml.

Despite it protects the incompatible versions, this gives some major difficulties: we cannot start another version of the same application in the same Tomcat instance, because these two applications require different versions of the authentication module. But there can be a single version in the Tomcat's lib directory.

My question is: is it possible to package the custom FormAuthenticator directly in the web application not requiring that single version of the FormAuthenticator to be loaded before the web application is being started? This would allow to start as many versions of the web application as we want and do not touch %CATALINA_HOME%/lib at all.

In other words: how can I make Tomcat to take the custom authenticator module from the web application, not from its home library directory? Thanks.

回答1:

Valve classes cannot be loaded by a webapp class loader. Take a look at the answer to this question.

As a possible solution to the versioning issue, consider starting different Tomcat instances by overriding the CATLINA_BASE environment variable. Running with separate CATALINA_HOME and CATALINA_BASE is documented in RUNNING.txt file which can be found in Tomcat distribution. I could also share a working example configuration.