This package contains
Authenticator implementations for the
various supported authentication methods (BASIC, DIGEST, and FORM). In
addition, there is a convenience base class,
AuthenticatorBase, for customized
If you are using the standard context configuration class
org.apache.catalina.startup.ContextConfig) to configure the
Authenticator associated with a particular context, you can register the Java
class to be used for each possible authentication method by modifying the
following Properties file:
Each of the standard implementations extends a common base class
AuthenticatorBase), which is configured by setting the
following JavaBeans properties (with default values in square brackets):
- cache - Should we cache authenticated Principals (thus avoiding
per-request lookups in our underlying
Realm) if this request is part of an HTTP session? [true]
- debug - Debugging detail level for this component. 
The standard authentication methods that are currently provided include:
- BasicAuthenticator - Implements HTTP BASIC authentication, as described in RFC 2617.
- DigestAuthenticator - Implements HTTP DIGEST authentication, as described in RFC 2617.
- FormAuthenticator - Implements FORM-BASED authentication, as described in the Servlet API Specification.
ClassDescriptionBasic implementation of the Valve interface that enforces the
<security-constraint>elements in the web application deployment descriptor.An Authenticator and Valve implementation of HTTP BASIC Authentication, as outlined in RFC 7617: "The 'Basic' HTTP Authentication Scheme"Parser for an HTTP Authorization header for BASIC authentication as per RFC 2617 section 2, and the Base64 encoded credentials as per RFC 2045 section 6.8.An Authenticator and Valve implementation of HTTP DIGEST Authentication, as outlined in RFC 7616: "HTTP Digest Authentication"This enum exists because RFC 7616 and Java use different names for some digests.An Authenticator and Valve implementation of FORM BASED Authentication, as described in the Servlet API Specification.An Authenticator and Valve implementation that checks only security constraints not involving user authentication.Object that saves the critical information from a request so that form-based authentication can reproduce it once the user has been authenticated.A Valve that supports a "single sign on" user experience, where the security identity of a user who successfully authenticates to one web application is propagated to other web applications in the same security domain.A class that represents entries in the cache of authenticated users.Key used by SSO to identify a session.A SPNEGO authenticator that uses the SPNEGO/Kerberos support built in to Java 6.This class gets a gss credential via a privileged action.This class implements a hack around an incompatibility between the SPNEGO implementation in Windows and the SPNEGO implementation in Java 8 update 40 onwards.An Authenticator and Valve implementation of authentication that utilizes SSL certificates to identify client users.