This package contains
Authenticator implementations for the
various supported authentication methods (BASIC, DIGEST, and FORM). In
addition, there is a convenience base class,
AuthenticatorBase, for customized
If you are using the standard context configuration class
org.apache.catalina.startup.ContextConfig) to configure the
Authenticator associated with a particular context, you can register the Java
class to be used for each possible authentication method by modifying the
following Properties file:
Each of the standard implementations extends a common base class
AuthenticatorBase), which is configured by setting the
following JavaBeans properties (with default values in square brackets):
- cache - Should we cache authenticated Principals (thus avoiding
per-request lookups in our underlying
Realm) if this request is part of an HTTP session? [true]
- debug - Debugging detail level for this component. 
The standard authentication methods that are currently provided include:
- BasicAuthenticator - Implements HTTP BASIC authentication, as described in RFC 2617.
- DigestAuthenticator - Implements HTTP DIGEST authentication, as described in RFC 2617.
- FormAuthenticator - Implements FORM-BASED authentication, as described in the Servlet API Specification.
Class Summary Class Description AuthenticatorBaseBasic implementation of the Valve interface that enforces the
<security-constraint>elements in the web application deployment descriptor.
BasicAuthenticatorAn Authenticator and Valve implementation of HTTP BASIC Authentication, as outlined in RFC 7617: "The 'Basic' HTTP Authentication Scheme" BasicAuthenticator.BasicCredentialsParser for an HTTP Authorization header for BASIC authentication as per RFC 2617 section 2, and the Base64 encoded credentials as per RFC 2045 section 6.8. Constants DigestAuthenticatorAn Authenticator and Valve implementation of HTTP DIGEST Authentication, as outlined in RFC 7616: "HTTP Digest Authentication" DigestAuthenticator.DigestInfo DigestAuthenticator.NonceInfo FormAuthenticatorAn Authenticator and Valve implementation of FORM BASED Authentication, as described in the Servlet API Specification. NonLoginAuthenticatorAn Authenticator and Valve implementation that checks only security constraints not involving user authentication. SavedRequestObject that saves the critical information from a request so that form-based authentication can reproduce it once the user has been authenticated. SingleSignOnA Valve that supports a "single sign on" user experience, where the security identity of a user who successfully authenticates to one web application is propagated to other web applications in the same security domain. SingleSignOnEntryA class that represents entries in the cache of authenticated users. SingleSignOnListener SingleSignOnSessionKeyKey used by SSO to identify a session. SpnegoAuthenticatorA SPNEGO authenticator that uses the SPNEGO/Kerberos support built in to Java 6. SpnegoAuthenticator.AcceptActionThis class gets a gss credential via a privileged action. SpnegoAuthenticator.AuthenticateAction SpnegoAuthenticator.SpnegoTokenFixerThis class implements a hack around an incompatibility between the SPNEGO implementation in Windows and the SPNEGO implementation in Java 8 update 40 onwards. SSLAuthenticatorAn Authenticator and Valve implementation of authentication that utilizes SSL certificates to identify client users.
Enum Summary Enum Description AuthenticatorBase.AllowCorsPreflight DigestAuthenticator.AuthDigestThis enum exists because RFC 7616 and Java use different names for some digests.