Custom SpnegoAuthenticator worked with Tomcat 8 but gives 404 with Tomcat 9

Question

Project was developed with Jetty using Form Authentication. File login.jsp

<form method="post" action="j_security_check">
    <input type="text" name="j_username"/>
    <input type="password" name="j_password"/>
    <input type="submit" value="Login"/>
</form>

In production, it was published in Tomcat 8.0.53 and using a custom SpnegoAuthenticator . File conf/context.xml

<Context>
    <Valve className="com.CustomeSpnegoAuthenticator" />
</Context>

File tomcat/application/WEB-INF/web.xml includes these:

<login-config>
    <auth-method>SPNEGO</auth-method>
    <realm-name>REALMNAME</realm-name>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/loginError.jsp</form-error-page>
    </form-login-config>
</login-config>

in file CustomeSpnegoAuthenticator.java, a FormAuthenticator is initialised and set up as below

public class CustomeSpnegoAuthenticator extends org.apache.catalina.authenticator.SpnegoAuthenticator {
    private FormAuthenticator formAuthenticator = new FormAuthenticator();
    @Override
    public void setContainer(Container container) {
        try {
            super.setContainer(container);
            formAuthenticator.setContainer(container);
            formAuthenticator.setLandingPage("/home");
            formAuthenticator.start();
            log.info("formAuthenticator state: " + formAuthenticator.getState())
        } catch (LifecycleException ex) {
            log.error("Failed to start authenticators, reason: " + ex.getMessage(), ex);
        }
    }
    @Override
    protected String getAuthMethod() {
        return Constants.SPNEGO_METHOD;
    }
    @Override
    public boolean authenticate(Request request, HttpServletResponse response) throws IOException {
        // process username and password
        // return result
    }
}

This worked well in Tomcat 8, authentication happens at localhost/application/j_security_check . But after deploying it in Tomcat 9.0.20, it starts giving 404 to localhost/application/j_security_check, although in CustomeSpnegoAuthenticator.java formAuthenticator's state is started. conf/context.xml, conf/web.xml,webapps/application/WEB-INF/web.xml are the same. Only Tomcat version is different.

Does anyone has any idea what might be the reason, or how can I debug further?

Answer 1

So after reading the source code, I found the implementation of authenticators in Tomcat 9 is a bit different from Tomcat 8. They replaced authenticate with doAuthenticate.

So the solution is in file CustomeSpnegoAuthenticator.java, change override function from authenticate to doAuthenticate. And because of this line: formAuthenticator.setLandingPage("/home");. In file login.jsp, action should be home/j_security_check.