You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jonathan Eric Miller <je...@uchicago.edu> on 2001/07/24 00:18:50 UTC
Which comes first basic authentication or redirection to SSL?
I'm using the following configuration in my web.xml file. I have it setup so
that SSL is required. I also have it setup so that basic authentication is
required.
What I'm wondering though is what happens first, redirection to the SSL port
or basic authentication?
So, say I enter the following into my browser,
http://localhost:8080/servlet/Test
It gets redirected to,
https://localhost:8443/servlet/Test
However, I don't see the https until after I have authenticated. Does this
mean that the authentication happened before the redirection?
Jon
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/j2ee/dtds/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>
Test
</servlet-name>
<servlet-class>
Test
</servlet-class>
<init-param>
<param-name>initParameter</param-name>
<param-value>value1</param-value>
</init-param>
</servlet>
<security-constraint>
<web-resource-collection>
<web-resource-name>
Protected Area
</web-resource-name>
<url-pattern>
/*
</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>tomcat</realm-name>
</login-config>
</web-app>
Re: Which comes first basic authentication or redirection to SSL?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
For Tomcat 4.0, the user data constraint is enforced *before* the
authentication constraint. The reasoning for this is that, if you're
going to use BASIC or FORM based authentication, you certainly don't want
the username and password going across the network in clear text.
Note that you won't necessarily be able to see this ordering if you're
using BASIC, however. The reason is that the pop-up window for
authentication happens before the location bar (or the page itself) have
been updated. To verify the order in which things happen, try switching
to form-based login temporarily.
Craig McClanahan
On Mon, 23 Jul 2001, Jonathan Eric Miller wrote:
> I'm using the following configuration in my web.xml file. I have it setup so
> that SSL is required. I also have it setup so that basic authentication is
> required.
>
> What I'm wondering though is what happens first, redirection to the SSL port
> or basic authentication?
>
> So, say I enter the following into my browser,
>
> http://localhost:8080/servlet/Test
>
> It gets redirected to,
>
> https://localhost:8443/servlet/Test
>
> However, I don't see the https until after I have authenticated. Does this
> mean that the authentication happened before the redirection?
>
> Jon
>
>
>
> <?xml version="1.0" encoding="ISO-8859-1"?>
>
> <!DOCTYPE web-app
> PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> "http://java.sun.com/j2ee/dtds/web-app_2_3.dtd">
>
> <web-app>
> <servlet>
> <servlet-name>
> Test
> </servlet-name>
> <servlet-class>
> Test
> </servlet-class>
> <init-param>
> <param-name>initParameter</param-name>
> <param-value>value1</param-value>
> </init-param>
> </servlet>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>
> Protected Area
> </web-resource-name>
> <url-pattern>
> /*
> </url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>tomcat</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>tomcat</realm-name>
> </login-config>
> </web-app>
>
>
>