You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by DJ...@desknetinc.com on 2006/07/27 18:21:36 UTC

Re: servlet and HTTP authentication

<Sorry for top post:  Notes e-mail client restriction>
If you configure Tomcat to NOT require authentication for this particular 
servlet, then your servlet can examine the credentials, and if they are 
absent or insufficient, send a 401 - Not Authorized response, which causes 
the browser to prompt for id/pass.  You can also manipulate the "realm" 
identified in that prompt by adding a WWW-Authenticate header to the 401 
response:
WWW-Authenticate: Basic realm="My Document Management System"

I'm not sure if tomcat will interpret the resulting "Authorization" header 
in the next request, given that you asked him not to authenticate, but you 
can always ask for the contents of that header, strip off the "Basic " 
from the front, and Base64.decode the rest, yielding userid:password. 
Split on the ":" and you have your id and password.



Please respond to "Tomcat Users List" <us...@tomcat.apache.org>

To:     Tomcat Users List <us...@tomcat.apache.org>
cc:      
Subject:        servlet and HTTP authentication



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi all;

gotta solve a very special authentication situation: Users need to have
access to certain file packages using an URL like

http://.../packages/<package-id>


with <package-id> referring to an identifier stored in a local document
management system. User information (id, password) are stored in the DMS
database as well. To provide access to a certain package, I need to ensure

(a) the user is valid (thus, has authenticated)
(b) the user is owner of the package (which I can find out using the DMS
database as well)


However, following this approach I cannot use container-based
authentication as the DBMS user management repository is not easily
accessible via such a configuration but there are Java classes to
authenticate the user using an API which to be called from another Java
class, a servlet, ...


So, my question: Is there a way to configure Tomcat that, for a given
servlet or resource, a HTTP authentication window will appear and, then,
the data entered there (username, password) is given to the servlet in
order to do anything useful with it? I _suppose_ those parameters should
be available as part of the Request, but I don't know how to make tomcat
demand HTTP authentication _without_ automatically validating these
parameters.


Any hints on that?
TIA and bye,
Kristian


- --
Kristian Rink *  http://zimmer428.net * jab: kawazu@jabber.ccc.de
icq: 48874445 *  fon: ++49 176 2447 2771
"Wenn einer allein träumt, ist es nur ein Traum. Wenn viele gemeinsam
träumen, ist das der Anfang einer neuen Wirklichkeit." (Hundertwasser)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEyNnIcxBAPOA1m6wRAiUDAJ0dye/TauPE+I6aN/zozzGbIDWA1gCfWaV5
GP9iBHbOOjIsMPA1TLIq+/s=
=1z5/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: servlet and HTTP authentication

Posted by Kristian Rink <kr...@zimmer428.net>.

Hey there;

and, at first, thanks a lot for the hint.

DJohnson@desknetinc.com schrieb:

> WWW-Authenticate: Basic realm="My Document Management System"
> 
> I'm not sure if tomcat will interpret the resulting "Authorization" header 
> in the next request, given that you asked him not to authenticate, but you 
> can always ask for the contents of that header, strip off the "Basic " 
> from the front, and Base64.decode the rest, yielding userid:password. 
> Split on the ":" and you have your id and password.


Hmmm, I feel stupid right now as I could have thought about that myself.
Thanks for enlightening me, that's pretty much what I needed! :)

Thanks and bye,
Kristian





-- 
Kristian Rink *  http://zimmer428.net * jab: kawazu@jabber.ccc.de
icq: 48874445 *  fon: ++49 176 2447 2771
"Wenn einer allein träumt, ist es nur ein Traum. Wenn viele gemeinsam
träumen, ist das der Anfang einer neuen Wirklichkeit." (Hundertwasser)


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org