You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Per Kreipke <pe...@onclave.com> on 2002/08/29 14:58:33 UTC
[Q] WebDAV servlet authentication...
Does anyone know whether the webdav servlet can use form based
authentication when the client is not a browser (e.g. DAVExplorer or Web
Folders)?
If not, can one configure single sign on to use form based authentication on
some resources and BASIC on others?
The impetus for my question is the fact that you can not (from my reading on
this list and a google search) programmatically log out the user from BASIC
authentication.
Per
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: [Q] WebDAV servlet authentication...
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Thu, 29 Aug 2002, Per Kreipke wrote:
> Date: Thu, 29 Aug 2002 15:16:13 -0400
> From: Per Kreipke <pe...@onclave.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: RE: [Q] WebDAV servlet authentication...
>
> > > Does anyone know whether the webdav servlet can use form based
> > > authentication when the client is not a browser (e.g. DAVExplorer or Web
> > > Folders)?
> > >
> >
> > Isn't this really a question of whether your *client* can understand how
> > to interact using form based login? That seems pretty unlikely -- most of
> > the client-is-a-program scenarios I've seen (like the Manager webapp in
> > Tomcat) use BASIC authentication simply because it is easy to program to.
>
> Good point.
>
> > > If not, can one configure single sign on to use form based
> > authentication on
> > > some resources and BASIC on others?
> > >
> >
> > If you use Tomcat's single sign on support, each webapp can have its own
> > login method, so you could use BASIC on the webdav webapp, and form-based
> > for the ones that people use.
>
> Ok.
>
> Musing aloud...
>
> However, that means that if one uses form based login and you invalidate its
> session, that doesn't necessarily log out any access to another app through
> BASIC authentication. That could perhaps be a good thing in some instances.
>
For Servlet 2.3 (i.e. Tomcat 4.x), it does invalidate the sessions for all
the apps you are logged on to, but if the next request from the client
still includes the BAXIC credentials, and accesses a protected resource,
that user will get re-authenticated again.
For Servlet 2.4, the new logout method is supposed to cover that case as
well. It will be interesting to see if this can actually be implemeted
reliably (I can think of ways to do it with cookies, but I'm not sure it's
feasible without).
> > > The impetus for my question is the fact that you can not (from
> > my reading on
> > > this list and a google search) programmatically log out the
> > user from BASIC
> > > authentication.
> > >
> >
> > API for asking for a logout was added in Servlet 2.4, so you'll see it
> > eventually in Tomcat 5. That doesn't help much in the mean time, though
> > ... and implementing logout for clients using BASIC is pretty interesting
> > anyway, since it is the *client* that keeps sending the Authorization
> > header containing the username/password ...
>
> Yes, I've read that various places.
>
> I've also realized that my question has its own answer: my WebDAV client is
> a different app from the browser even if they're being used together (e.g.
> click on a dir in a browser, see it in Web Folders) and the user should be
> logged out of each differently and at different times.
>
> Per
>
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: [Q] WebDAV servlet authentication...
Posted by Per Kreipke <pe...@onclave.com>.
> > Does anyone know whether the webdav servlet can use form based
> > authentication when the client is not a browser (e.g. DAVExplorer or Web
> > Folders)?
> >
>
> Isn't this really a question of whether your *client* can understand how
> to interact using form based login? That seems pretty unlikely -- most of
> the client-is-a-program scenarios I've seen (like the Manager webapp in
> Tomcat) use BASIC authentication simply because it is easy to program to.
Good point.
> > If not, can one configure single sign on to use form based
> authentication on
> > some resources and BASIC on others?
> >
>
> If you use Tomcat's single sign on support, each webapp can have its own
> login method, so you could use BASIC on the webdav webapp, and form-based
> for the ones that people use.
Ok.
Musing aloud...
However, that means that if one uses form based login and you invalidate its
session, that doesn't necessarily log out any access to another app through
BASIC authentication. That could perhaps be a good thing in some instances.
> > The impetus for my question is the fact that you can not (from
> my reading on
> > this list and a google search) programmatically log out the
> user from BASIC
> > authentication.
> >
>
> API for asking for a logout was added in Servlet 2.4, so you'll see it
> eventually in Tomcat 5. That doesn't help much in the mean time, though
> ... and implementing logout for clients using BASIC is pretty interesting
> anyway, since it is the *client* that keeps sending the Authorization
> header containing the username/password ...
Yes, I've read that various places.
I've also realized that my question has its own answer: my WebDAV client is
a different app from the browser even if they're being used together (e.g.
click on a dir in a browser, see it in Web Folders) and the user should be
logged out of each differently and at different times.
Per
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [Q] WebDAV servlet authentication...
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Thu, 29 Aug 2002, Per Kreipke wrote:
> Date: Thu, 29 Aug 2002 08:58:33 -0400
> From: Per Kreipke <pe...@onclave.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: [Q] WebDAV servlet authentication...
>
> Does anyone know whether the webdav servlet can use form based
> authentication when the client is not a browser (e.g. DAVExplorer or Web
> Folders)?
>
Isn't this really a question of whether your *client* can understand how
to interact using form based login? That seems pretty unlikely -- most of
the client-is-a-program scenarios I've seen (like the Manager webapp in
Tomcat) use BASIC authentication simply because it is easy to program to.
> If not, can one configure single sign on to use form based authentication on
> some resources and BASIC on others?
>
If you use Tomcat's single sign on support, each webapp can have its own
login method, so you could use BASIC on the webdav webapp, and form-based
for the ones that people use.
> The impetus for my question is the fact that you can not (from my reading on
> this list and a google search) programmatically log out the user from BASIC
> authentication.
>
API for asking for a logout was added in Servlet 2.4, so you'll see it
eventually in Tomcat 5. That doesn't help much in the mean time, though
... and implementing logout for clients using BASIC is pretty interesting
anyway, since it is the *client* that keeps sending the Authorization
header containing the username/password ...
> Per
>
Craig
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>