parameters

["Bongiorno, Christian" <Bo...@ensco.com>]

I am pretty sure that this is true, but just to get a sanity check,
do the username and password come in as parameters to the servlet as part of
the ServletRequest?


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Re: parameters

["Craig R. McClanahan" <cr...@apache.org>]

On Wed, 14 Nov 2001, Bongiorno, Christian wrote:

> Date: Wed, 14 Nov 2001 12:59:06 -0500
> From: "Bongiorno, Christian" <Bo...@ensco.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: 'Tomcat Users List' <to...@jakarta.apache.org>
> Subject: parameters
>
> I am pretty sure that this is true, but just to get a sanity check,
> do the username and password come in as parameters to the servlet as part of
> the ServletRequest?
>

In general the answer is "no", but it depends on which login method you
are using.  For BASIC authentication, they come in as part of the
"Authorization" header, in accordance with the requirements of HTTP (see
RFC 2617 for more info -- you can use the search engine at
<http://www.rfc-editor.org> to find it).

Once the user has been authenticated, you have access to the following
methods at the application level:
* request.getRemoteUser() returns the username
* request.getUserPrincipal() returna a java.security.Principal
  object for the authenticated user
* request.isUserInRole() lets you ask if the currently logged in
  user has a particular security role.

Note that the password is not visible through these APIs.  That is
appropriate, because you don't need it if you are letting the container
manage logins -- all you care about is whether the user has been
authenticated or not.

Craig


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>