You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mohun Biswas <m....@cleartool.com> on 2003/05/12 19:09:49 UTC
no-prompt "authentication" for intranet app
I can't quite figure out how to do this because the security documents are
(properly) slanted towards internet use. I'm writing an app for intranet
(within the company) use. I need to determine the user's name from a
servlet; thus I'd like to be able to call getRemoteUser() or
getUserPrincipal(). For this application and in this environment I'm
perfectly willing to trust that the user was properly authenticated from
the client and I don't want to make them go through the challenge/response
sequence. After all, it's the same system admins controlling policy on both
client and server, and it's a low-security application anyway.
The HTTP requests in this case are coming not from a browser but from a
custom program. So I'd have no problem making my program embed the username
in the URL in the standard way, e.g.
http://username:somepasswd/context/path/to/resource. But of course the
server is not by default going to trust the user to say "I am who I say I
am". If I configure for BASIC authentication I have to go through the
prompt sequence. Is there any sequence of web.xml/tomcat-user.xml settings
which will say "trust that the user is who he says without a prompt"?
Of course I could forget the whole security apparatus and just pass the
username as a query parameter, but I'd really like to take advantage of the
"role" infrastructure (e.g. isUserInRole() etc). Suggestions? TFM pointers?
Thanks,
MB
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: no-prompt "authentication" for intranet app
Posted by "Mark W. Webb" <ma...@dolphtech.com>.
Just implement mutually authenticated SSL. This way your servlets can
get the user's information from the certificate
Mohun Biswas wrote:
> I can't quite figure out how to do this because the security documents
> are (properly) slanted towards internet use. I'm writing an app for
> intranet (within the company) use. I need to determine the user's name
> from a servlet; thus I'd like to be able to call getRemoteUser() or
> getUserPrincipal(). For this application and in this environment I'm
> perfectly willing to trust that the user was properly authenticated
> from the client and I don't want to make them go through the
> challenge/response sequence. After all, it's the same system admins
> controlling policy on both client and server, and it's a low-security
> application anyway.
>
> The HTTP requests in this case are coming not from a browser but from
> a custom program. So I'd have no problem making my program embed the
> username in the URL in the standard way, e.g.
> http://username:somepasswd/context/path/to/resource. But of course the
> server is not by default going to trust the user to say "I am who I
> say I am". If I configure for BASIC authentication I have to go
> through the prompt sequence. Is there any sequence of
> web.xml/tomcat-user.xml settings which will say "trust that the user
> is who he says without a prompt"?
>
> Of course I could forget the whole security apparatus and just pass
> the username as a query parameter, but I'd really like to take
> advantage of the "role" infrastructure (e.g. isUserInRole() etc).
> Suggestions? TFM pointers?
>
> Thanks,
> MB
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: no-prompt "authentication" for intranet app
Posted by Jacob Kjome <ho...@visi.com>.
Well, you can do the following which will still be read by the browser as a
valid BASIC Authentication credentials...
http://myusername:mypassword@http://www.myhost.com/mycontext/apage.jsp
The only problem is that these need to be sent each and every time, I
believe. You'd have to test it out. Just write your links like..
<a
href="http://myusername:mypassword@http://www.myhost.com/mycontext/apage.jsp">A
Page</a>
Now you can continue to use getRemoteUser() and getUserPrincipal() and the
user will not be prompted for the username/password....as long as you have
written the proper username/password combo to the link, that is.
Jake
At 01:09 PM 5/12/2003 -0400, you wrote:
>I can't quite figure out how to do this because the security documents are
>(properly) slanted towards internet use. I'm writing an app for intranet
>(within the company) use. I need to determine the user's name from a
>servlet; thus I'd like to be able to call getRemoteUser() or
>getUserPrincipal(). For this application and in this environment I'm
>perfectly willing to trust that the user was properly authenticated from
>the client and I don't want to make them go through the challenge/response
>sequence. After all, it's the same system admins controlling policy on
>both client and server, and it's a low-security application anyway.
>
>The HTTP requests in this case are coming not from a browser but from a
>custom program. So I'd have no problem making my program embed the
>username in the URL in the standard way, e.g.
>http://username:somepasswd/context/path/to/resource. But of course the
>server is not by default going to trust the user to say "I am who I say I
>am". If I configure for BASIC authentication I have to go through the
>prompt sequence. Is there any sequence of web.xml/tomcat-user.xml settings
>which will say "trust that the user is who he says without a prompt"?
>
>Of course I could forget the whole security apparatus and just pass the
>username as a query parameter, but I'd really like to take advantage of
>the "role" infrastructure (e.g. isUserInRole() etc). Suggestions? TFM pointers?
>
>Thanks,
>MB
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org