apache basic auth and servlets

[So...@aol.com]

HI all, 
 I want to protect my site using Basic Authentication. I have a form log in 
that goes to log in servlet, authenticates against ldap, if valid, creates a 
session, and lets the user in. In this situation,  I was wondering if there 
is way that I can then tell Apache this guy has authenticated so don't 
respond with a www=authenticate header when he tries to access a protected 
page. Any thoughts or ideas would be appreciated. Regards, Jake the Snake

Re: apache basic auth and servlets

[Johan Peeters <jo...@alcatel.be>]

I am using tomcat standalone, so I am not sure what the situation is when
requests are first received by apache or what happens when you use another
servlet container. But I assume that this is similar.
Form-based and basic authentication are 2 different things. I can' t tell you a
whole lot about form-based authentication, because I have not used it.
I assume that you have added security constraints to your apps web.xml. When the
user first requests a URL that is subject to a security constraint, the login
mechanism specified in web.xml is triggered. This means that a WWW-Authenticate
header is sent. The browser then prompts the user to supply a user name and
password which are then sent to the server. The server will then perform
authentication/authorization as coded by the request interceptors. As far as I
am aware, to check against ldap, you would have to supply your own request
interceptor in tomcat - I have not found this functionality in the interceptors
which come standard with tomcat. Anyway, if the guy (or gal) has been
authenticated, the browser will subsequently cache the username and password and
send it back with each request for a URL at the same domain in the Authorization
header. So, I found the issue was not so much to persuade the server not to send
a WWW-Authenticate header as to persuade the browser to stop sending
Authorization headers when the user wants to log off. In fact, I still have not
found a satisfactory way of doing so. The best solution I have found so far
(with a little help from Thor Heinrichs-Wolpert - see previous mail on the list)
is to force the browser to re-authenticate by sending it a WWW-Authenticate
again.

Hope this clarifies more than it confuses.

Yo

Soch88@aol.com wrote:

> HI all,
>  I want to protect my site using Basic Authentication. I have a form log in
> that goes to log in servlet, authenticates against ldap, if valid, creates a
> session, and lets the user in. In this situation,  I was wondering if there
> is way that I can then tell Apache this guy has authenticated so don't
> respond with a www=authenticate header when he tries to access a protected
> page. Any thoughts or ideas would be appreciated. Regards, Jake the Snake
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org



--
Johan Peeters mailto:johan.peeters@alcatel.be
Software Architect - Net Commerce
Alcatel - Gen. De Wittelaan 11 A bus 1 - 2800 Mechelen - Belgium
Phone: +32 15 29 3427 Fax: +32 3 240 4800

Re: apache basic auth and servlets

[Simon Greaves <Si...@usp.ac.fj>]

This may well be irrelevant to you, but what the heck...

Another way of 'skinning the cat': subclass HttpServlet and provide code
within the subclass that checks for valid authentication details in the
session before doing anything else, then redirects to a login form if
there's none.

All the rest of your servlets can be subclassed from this 'authentication'
servlet class so the authentication mechanism becomes transparent. Since
the authentication happens outside of 'basic authentication', there are no
problems with browsers retaining the authentication information, and it is
possible to have an inactivity timeout on the session data so it is
automatically invalidated.

I use this for an application which is almost all dynamically generated 
html (from a DB which is what the authentication is for).

> HI all, 
>  I want to protect my site using Basic Authentication. I have a form log in 
> that goes to log in servlet, authenticates against ldap, if valid, creates a 
> session, and lets the user in. In this situation,  I was wondering if there 
> is way that I can then tell Apache this guy has authenticated so don't 
> respond with a www=authenticate header when he tries to access a protected 
> page. Any thoughts or ideas would be appreciated. Regards, Jake the Snake
> 

Simon
-- 
Simon Greaves				voice: (+679) 212114
Computer Centre				fax:   (+679) 304089
The University of the South Pacific	email: Simon.Greaves@usp.ac.fj
Suva, Fiji