You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Bongiorno, Christian" <Bo...@ensco.com> on 2001/11/13 19:48:17 UTC

How to bring back pop-up with BASIC authentication

Can someone explain to me how I can tell tomcat from with in my custom realm
to prompt the user again for login is their password should fail? The built
in realms all do this, but for the life of me I can't figure out how this is
being done in the code -- I have been over it several times.

Any help would be appreciated.

Chris (new to the group)

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>

Re: How to bring back pop-up with BASIC authentication

Posted by "Craig R. McClanahan" <cr...@apache.org>.

On Tue, 13 Nov 2001, Bongiorno, Christian wrote:

> Date: Tue, 13 Nov 2001 13:48:17 -0500
> From: "Bongiorno, Christian" <Bo...@ensco.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: 'Tomcat Users List' <to...@jakarta.apache.org>
> Subject: How to bring back pop-up with BASIC authentication
>
> Can someone explain to me how I can tell tomcat from with in my custom realm
> to prompt the user again for login is their password should fail? The built
> in realms all do this, but for the life of me I can't figure out how this is
> being done in the code -- I have been over it several times.
>

(This is the Tomcat 4 version of the answer.)  The key point - it's NOT
the Realm that prompts or reprompts the user -- it's the Authenticator
that does this.

A Realm is simply a "user database".  The various Authenticators acquire
the username and password to be checked by some means specific to that
authenticator.  Then, they try to validate the user by calling
Realm.authenticate(username, password).  If the Realm returns null, that
means the user was not recognized.  What happens next is totally up to
that Authenticator.

The Authenticator for BASIC is the easiest to understand
(org.apache.catalina.authenticator.BasicAuthenticator).  Once it is
determined that authentication is required, it does the following:

* Have we authenticated a user already for the current
  session?  If so, just reuse that identity.  (This caching
  saves a lot of effort, especially when your Realm connects
  to a remote database or directory serer).

* Were the username and password included with this request?
  If not, send back an HTTP 401 status, which triggers the
  browser to put up the login dialog box.

* Are the username and password valid?  This is checked by calling
  Realm.authenticate().  If not, send back a 401 again (which
  will cause the browser to reprompt the user).

* Is there a session for this request?  If so, cache the
  authenticated Principal so we can use it next time.

* Update the current request so that getRemoteUser(), getUserPrincipal(),
  and isUserInRole() will return the correct results based on the
  authenticated user.

(Warning -- don't try to understand the code in FormAuthenticator unless
you want to go cross-eyed :-).

Getting back to your original question, all your Realm should do is return
null to the authenticate() call for an invalid username or password.  The
Authenticator selected for this webapp will do the rest.

> Any help would be appreciated.
>
> Chris (new to the group)
>

Craig

> --
> To unsubscribe:   <ma...@jakarta.apache.org>
> For additional commands: <ma...@jakarta.apache.org>
> Troubles with the list: <ma...@jakarta.apache.org>
>
>

--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>