You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by David <am...@starhub.net.sg> on 2003/09/20 19:06:47 UTC

RE: Can JSP track users in a basic authentication protected realm ?

Actually I do not know how to do it. I know those internet banking sites
does it. They have this option of "Log out" for their users. When users
click on that "log out" option, they will in effect log out of the
protected realm. Should they decide to return to the same site again (
using the same instance of the IE) they will prompted for the password
and ID again.

Currently, with basic authentication ( implemented using HTTP SERVER)
the server does not recognise if the user has moved onto another site
outside the protected realm. If he decides to surf an area outside the
protected realm, and decides to return to the protected realm, he will
not be prompted for a password. 

This problem arise when the computer being used to access my protected
realm is a public computer. If that is the case, users who enter my
protected realm and forgot to terminate that instance of the IE is going
to allow subsequent users of that machine to access my site.

My question is how can I implement such a way as mentioned above ?
The "log out" button kind of effect.

Many thanks.

Regards
David


-----Original Message-----
From: George Sexton [mailto:gsexton@mhsoftware.com] 
Sent: Sunday, September 21, 2003 12:47 AM
To: 'Tomcat Users List'
Subject: RE: Can JSP track users in a basic authentication protected
realm ?

Can you explain how Tomcat will be able to tell whether the user has
navigated away and returned, versus just taken some period of time
before getting the next page?

-----Original Message-----
From: David [mailto:amdawong@starhub.net.sg] 
Sent: Saturday, September 20, 2003 9:56 AM
To: Tomcat User
Subject: Can JSP track users in a basic authentication protected realm ?



Hi guys,
 
Does anyone know how I can implement the above mentioned?
Once they exit the protected realm (i.e. the protected folder in my
htdocs), when they re-enter the site again they will be asked for a
password. I have a simple basic authentication system but it doesn't
track the user when it leaves the protected realm. What I wanted to do
was to get the server to re-authenticate the user everytime he leaves my
realm and tries to re-enter again. 
 
 
Some people suggested CGI, some suggest PHP..
 
I would like to know if JSP can do the job. If yes, what level of
competence do I know JSP ?
 
 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Can JSP track users in a basic authentication protected realm ?

Posted by Jon Wingfield <jo...@mkodo.com>.

You could possibly track the "referer" header of the request. If the 
referer is a site outside your protection domain then re-authenticate.
This could be done in a filter: Check the header, log out the user, 
redirect to the requested page to trigger re-authentication.

This technique assumes the "referer" header has been set by the browser. 
As it's not a mandatory header you may not always get it:
http://www.w3.org/Protocols/rfc2616/rfc2616.txt
Specifically section 14.36 Referer

HTH,

Jon

David wrote:
> Actually I do not know how to do it. I know those internet banking sites
> does it. They have this option of "Log out" for their users. When users
> click on that "log out" option, they will in effect log out of the
> protected realm. Should they decide to return to the same site again (
> using the same instance of the IE) they will prompted for the password
> and ID again.
> 
> Currently, with basic authentication ( implemented using HTTP SERVER)
> the server does not recognise if the user has moved onto another site
> outside the protected realm. If he decides to surf an area outside the
> protected realm, and decides to return to the protected realm, he will
> not be prompted for a password. 
> 
> This problem arise when the computer being used to access my protected
> realm is a public computer. If that is the case, users who enter my
> protected realm and forgot to terminate that instance of the IE is going
> to allow subsequent users of that machine to access my site.
> 
> My question is how can I implement such a way as mentioned above ?
> The "log out" button kind of effect.
> 
> Many thanks.
> 
> Regards
> David
> 
> 
> -----Original Message-----
> From: George Sexton [mailto:gsexton@mhsoftware.com] 
> Sent: Sunday, September 21, 2003 12:47 AM
> To: 'Tomcat Users List'
> Subject: RE: Can JSP track users in a basic authentication protected
> realm ?
> 
> Can you explain how Tomcat will be able to tell whether the user has
> navigated away and returned, versus just taken some period of time
> before getting the next page?
> 
> -----Original Message-----
> From: David [mailto:amdawong@starhub.net.sg] 
> Sent: Saturday, September 20, 2003 9:56 AM
> To: Tomcat User
> Subject: Can JSP track users in a basic authentication protected realm ?
> 
> 
> 
> Hi guys,
>  
> Does anyone know how I can implement the above mentioned?
> Once they exit the protected realm (i.e. the protected folder in my
> htdocs), when they re-enter the site again they will be asked for a
> password. I have a simple basic authentication system but it doesn't
> track the user when it leaves the protected realm. What I wanted to do
> was to get the server to re-authenticate the user everytime he leaves my
> realm and tries to re-enter again. 
>  
>  
> Some people suggested CGI, some suggest PHP..
>  
> I would like to know if JSP can do the job. If yes, what level of
> competence do I know JSP ?
>  




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Can JSP track users in a basic authentication protected realm ?

Posted by Jon Wingfield <jo...@mkodo.com>.

You could possibly track the "referer" header of the request. If the 
referer is a site outside your protection domain then re-authenticate.
This could be done in a filter: Check the header, log out the user, 
redirect to the requested page to trigger re-authentication.

This technique assumes the "referer" header has been set by the browser. 
As it's not a mandatory header you may not always get it:
http://www.w3.org/Protocols/rfc2616/rfc2616.txt
Specifically section 14.36 Referer

HTH,

Jon

David wrote:
> Actually I do not know how to do it. I know those internet banking sites
> does it. They have this option of "Log out" for their users. When users
> click on that "log out" option, they will in effect log out of the
> protected realm. Should they decide to return to the same site again (
> using the same instance of the IE) they will prompted for the password
> and ID again.
> 
> Currently, with basic authentication ( implemented using HTTP SERVER)
> the server does not recognise if the user has moved onto another site
> outside the protected realm. If he decides to surf an area outside the
> protected realm, and decides to return to the protected realm, he will
> not be prompted for a password. 
> 
> This problem arise when the computer being used to access my protected
> realm is a public computer. If that is the case, users who enter my
> protected realm and forgot to terminate that instance of the IE is going
> to allow subsequent users of that machine to access my site.
> 
> My question is how can I implement such a way as mentioned above ?
> The "log out" button kind of effect.
> 
> Many thanks.
> 
> Regards
> David
> 
> 
> -----Original Message-----
> From: George Sexton [mailto:gsexton@mhsoftware.com] 
> Sent: Sunday, September 21, 2003 12:47 AM
> To: 'Tomcat Users List'
> Subject: RE: Can JSP track users in a basic authentication protected
> realm ?
> 
> Can you explain how Tomcat will be able to tell whether the user has
> navigated away and returned, versus just taken some period of time
> before getting the next page?
> 
> -----Original Message-----
> From: David [mailto:amdawong@starhub.net.sg] 
> Sent: Saturday, September 20, 2003 9:56 AM
> To: Tomcat User
> Subject: Can JSP track users in a basic authentication protected realm ?
> 
> 
> 
> Hi guys,
>  
> Does anyone know how I can implement the above mentioned?
> Once they exit the protected realm (i.e. the protected folder in my
> htdocs), when they re-enter the site again they will be asked for a
> password. I have a simple basic authentication system but it doesn't
> track the user when it leaves the protected realm. What I wanted to do
> was to get the server to re-authenticate the user everytime he leaves my
> realm and tries to re-enter again. 
>  
>  
> Some people suggested CGI, some suggest PHP..
>  
> I would like to know if JSP can do the job. If yes, what level of
> competence do I know JSP ?
>