You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cactus-dev@jakarta.apache.org by "Robertson, Jason" <Ja...@acs-inc.com> on 2001/12/29 00:51:56 UTC

Form based Authentication

WARNING: Approaching Hack Job, everybody duck!!!

That being said, I made form based authentication work once so I'm tossing
the code out into the world! There are very few comments, but the code is
all (of course) self documenting. :) I'm only sending it out since I'm gone
all next week, and I think the basic premise of what I've done is good, but
it needs to be cleaned up. By throwing it out now at least everyone has
something to chew on.

I've attached a Word doc to show the traces on my system that I used to
create this scheme (my system is JBoss/Jetty, and I *hope* things work
similarly with other servers). The high-level summary is that if the
HttpClientHelper detects a redirect, it gives the Authentication object a
chance to look at the situation and see if it can do something. For form
based authentication, it checks to see if the redirection is to a
user-specified login page. If so, it does a login and then the original
request is retried by HttpClientHelper (with the FormAuthentication object
inserting the sessionId appropriately to make everything work).

Since the FormAuthentication object holds the sessionId, the GET_RESULTS
request works perfectly since it shares the authentication object with the
CALL_TEST request. (Due to the already existing hack from the
BasicAuthentication solution.)

The yuckiest part is having to specify the "contextRoot" to the
FormAuthentication object which is really the server name and application
root. I need this to build the right url to which I send the POST with my
username/password. I need to figure out how to get this info in a cleaner
way. For example:

public void beginSetFirstNameInRequest(WebRequest theRequest)
{
   theRequest.setAuthentication(
      new FormAuthentication("jason", 
                             "jason", 
                             "localhost:9000/FinCalcEJB",
                             "login.html"));
}

Again, sorry so rushed, but I'm here an hour later that I need to be as it
is...

Jason