You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Matthew Mauriello <mm...@albany.edu> on 2010/07/01 02:20:59 UTC
Re: Question about BASIC Authentication
Christopher,
The behavior seems rather strange to me in fact, I've seen other websites
run on what looks to be BASIC Authentication without popping these browser
messages when leaving secured sections.
See the http://user:password@website.com/SOLR is only used once and it
might actually be http://user:password@website.com/SOLR/ I have to look
into this.
I feel like the authentication cookie is being created for the user and
then being forwarded to every page the user visits after that.
I am hoping to find some way of preventing this behavior.
~Matt
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Matthew,
>
> On 6/30/2010 12:07 AM, Matthew Mauriello wrote:
>> I have two directories in 'webapps' other than ROOT. ROOT redirects
>> users
>> to webappA. WebappA does not use tomcat's basic authentication but if
>> you
>> log into the application there are links inside it that sends the user
>> to
>> the SOLR webapp via http://user:password@website.com/SOLR.
>
> Ok.
>
>> SOLR uses basic authentication. The problem is once the browser logs
>> into
>> SOLR the error message pops up when navigating back to WebappA.
>
> Where is webappA deployed? /webappA? Generally, when the server requests
> BASIC authentication, the client will then provide credentials to the
> server for the original URL plus any URLs that are "under" it. I wonder
> if you used "http://user:password@website.com/SOLR/" (note the trailing
> slash) if you might avoid this behavior. I think the browser sees
> http://user:password@website.com/SOLR, removes the SOLR from the end
> (because it thinks that's the name of the resource), and then anything
> starting with http://website.com/ will then get the HTTP AUTH headers.
>
>> I understand this isn't the greatest setup but other than the constant
>> pop
>> up message after logging into SOLR it meets the needs of the very few
>> users on the website.
>
> It's odd that your web browser complains about this... it implies that
> the browser pre-fetches the URL /without/ the authentication header,
> just to see if the server replies with a request-for-authentication
> header. That's actually kind of a nice security feature.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkwrUfoACgkQ9CaO5/Lv0PAETACeONnx4nYQFXLwud13KCb9Nu0Z
> GkkAnj28Iz5yxZaZzJGOi7sZThMcZY62
> =50Ze
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question about BASIC Authentication
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Pid,
On 7/1/2010 3:31 AM, Pid wrote:
> On 01/07/2010 02:30, Christopher Schultz wrote:
>> Matthew,
>>
>> On 6/30/2010 8:20 PM, Matthew Mauriello wrote:
>>> The behavior seems rather strange to me in fact, I've seen other websites
>>> run on what looks to be BASIC Authentication without popping these browser
>>> messages when leaving secured sections.
>>
>> Most websites use HTTP AUTH consistently, at least for a particular URL
>> prefix.
>>
>>> See the http://user:password@website.com/SOLR is only used once and it
>>> might actually be http://user:password@website.com/SOLR/ I have to look
>>> into this.
>>
>>> I feel like the authentication cookie is being created for the user and
>>> then being forwarded to every page the user visits after that.
>
> BASIC auth doesn't create an authentication cookie does it? The browser
> sends an 'Authorization' header instead.
Yep, no cookie.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwv8ToACgkQ9CaO5/Lv0PARzgCfbS+vLZEPbBuZpLs1ebiiLWTq
K1cAoLo8yixRBwEO2urSaRaT214bNa0Y
=P9fN
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question about BASIC Authentication
Posted by Pid <pi...@pidster.com>.
On 01/07/2010 02:30, Christopher Schultz wrote:
> Matthew,
>
> On 6/30/2010 8:20 PM, Matthew Mauriello wrote:
>> The behavior seems rather strange to me in fact, I've seen other websites
>> run on what looks to be BASIC Authentication without popping these browser
>> messages when leaving secured sections.
>
> Most websites use HTTP AUTH consistently, at least for a particular URL
> prefix.
>
>> See the http://user:password@website.com/SOLR is only used once and it
>> might actually be http://user:password@website.com/SOLR/ I have to look
>> into this.
>
>> I feel like the authentication cookie is being created for the user and
>> then being forwarded to every page the user visits after that.
BASIC auth doesn't create an authentication cookie does it? The browser
sends an 'Authorization' header instead.
p
>> I am hoping to find some way of preventing this behavior.
>
> Well, for starters, what web browser are you using? Can you give me a
> sample URL that I can use to play with a test version of your webapp?
>
> -chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question about BASIC Authentication
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Matthew,
On 6/30/2010 8:20 PM, Matthew Mauriello wrote:
> The behavior seems rather strange to me in fact, I've seen other websites
> run on what looks to be BASIC Authentication without popping these browser
> messages when leaving secured sections.
Most websites use HTTP AUTH consistently, at least for a particular URL
prefix.
> See the http://user:password@website.com/SOLR is only used once and it
> might actually be http://user:password@website.com/SOLR/ I have to look
> into this.
>
> I feel like the authentication cookie is being created for the user and
> then being forwarded to every page the user visits after that.
>
> I am hoping to find some way of preventing this behavior.
Well, for starters, what web browser are you using? Can you give me a
sample URL that I can use to play with a test version of your webapp?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwr76cACgkQ9CaO5/Lv0PACLQCgjmn6kpeN1L3uQPuxpUEbHT8C
W/UAn1iaKySqcMfZNuttx7MjHYr6EqX4
=Yxdn
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org