no-prompt "authentication" for intranet app

[Mohun Biswas <m....@cleartool.com>]

I can't quite figure out how to do this because the security documents are 
(properly) slanted towards internet use. I'm writing an app for intranet 
(within the company) use. I need to determine the user's name from a 
servlet; thus I'd like to be able to call getRemoteUser() or 
getUserPrincipal(). For this application and in this environment I'm 
perfectly willing to trust that the user was properly authenticated from 
the client and I don't want to make them go through the challenge/response 
sequence. After all, it's the same system admins controlling policy on both 
client and server, and it's a low-security application anyway.

The HTTP requests in this case are coming not from a browser but from a 
custom program. So I'd have no problem making my program embed the username 
in the URL in the standard way, e.g. 
http://username:somepasswd/context/path/to/resource. But of course the 
server is not by default going to trust the user to say "I am who I say I 
am".  If I configure for BASIC authentication I have to go through the 
prompt sequence. Is there any sequence of web.xml/tomcat-user.xml settings 
which will say "trust that the user is who he says without a prompt"?

Of course I could forget the whole security apparatus and just pass the 
username as a query parameter, but I'd really like to take advantage of the 
"role" infrastructure (e.g. isUserInRole() etc). Suggestions? TFM pointers?

Thanks,
MB


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: no-prompt "authentication" for intranet app

["Mark W. Webb" <ma...@dolphtech.com>]

Just implement mutually authenticated SSL.  This way your servlets can 
get the user's information from the certificate

Mohun Biswas wrote:

> I can't quite figure out how to do this because the security documents 
> are (properly) slanted towards internet use. I'm writing an app for 
> intranet (within the company) use. I need to determine the user's name 
> from a servlet; thus I'd like to be able to call getRemoteUser() or 
> getUserPrincipal(). For this application and in this environment I'm 
> perfectly willing to trust that the user was properly authenticated 
> from the client and I don't want to make them go through the 
> challenge/response sequence. After all, it's the same system admins 
> controlling policy on both client and server, and it's a low-security 
> application anyway.
>
> The HTTP requests in this case are coming not from a browser but from 
> a custom program. So I'd have no problem making my program embed the 
> username in the URL in the standard way, e.g. 
> http://username:somepasswd/context/path/to/resource. But of course the 
> server is not by default going to trust the user to say "I am who I 
> say I am".  If I configure for BASIC authentication I have to go 
> through the prompt sequence. Is there any sequence of 
> web.xml/tomcat-user.xml settings which will say "trust that the user 
> is who he says without a prompt"?
>
> Of course I could forget the whole security apparatus and just pass 
> the username as a query parameter, but I'd really like to take 
> advantage of the "role" infrastructure (e.g. isUserInRole() etc). 
> Suggestions? TFM pointers?
>
> Thanks,
> MB
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: no-prompt "authentication" for intranet app

[Jacob Kjome <ho...@visi.com>]

Well, you can do the following which will still be read by the browser as a 
valid BASIC Authentication credentials...

http://myusername:mypassword@http://www.myhost.com/mycontext/apage.jsp

The only problem is that these need to be sent each and every time, I 
believe.  You'd have to test it out.  Just write your links like..

<a 
href="http://myusername:mypassword@http://www.myhost.com/mycontext/apage.jsp">A 
Page</a>

Now you can continue to use getRemoteUser() and getUserPrincipal() and the 
user will not be prompted for the username/password....as long as you have 
written the proper username/password combo to the link, that is.

Jake

At 01:09 PM 5/12/2003 -0400, you wrote:
>I can't quite figure out how to do this because the security documents are 
>(properly) slanted towards internet use. I'm writing an app for intranet 
>(within the company) use. I need to determine the user's name from a 
>servlet; thus I'd like to be able to call getRemoteUser() or 
>getUserPrincipal(). For this application and in this environment I'm 
>perfectly willing to trust that the user was properly authenticated from 
>the client and I don't want to make them go through the challenge/response 
>sequence. After all, it's the same system admins controlling policy on 
>both client and server, and it's a low-security application anyway.
>
>The HTTP requests in this case are coming not from a browser but from a 
>custom program. So I'd have no problem making my program embed the 
>username in the URL in the standard way, e.g. 
>http://username:somepasswd/context/path/to/resource. But of course the 
>server is not by default going to trust the user to say "I am who I say I 
>am".  If I configure for BASIC authentication I have to go through the 
>prompt sequence. Is there any sequence of web.xml/tomcat-user.xml settings 
>which will say "trust that the user is who he says without a prompt"?
>
>Of course I could forget the whole security apparatus and just pass the 
>username as a query parameter, but I'd really like to take advantage of 
>the "role" infrastructure (e.g. isUserInRole() etc). Suggestions? TFM pointers?
>
>Thanks,
>MB
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org