> -----Original Message-----
> From: Robertson, Jason [mailto:[EMAIL PROTECTED]]
> Sent: 07 January 2002 18:25
> To: 'Cactus Developers List'
> Subject: RE: Adding Authentication To Cactus
>
> > a class called Base64.java in httpclient which does what
> > you need
>
> The Base64 class is currently package-access only, so I can't
currently
> use
> it, but it's the perfect choice if they expose it publicly.
I've just asked :-)
>
> > I have sent an email to the commons list...
>
> Any responses?
Yes. The answer is they already support Basic authentication, plan to
add digest authentication in the future and are against adding
Form-based authentication at the current time because it is not standard
(although it is standard within the Servlet world, it is not when it
comes to HTTP) and I agree with them. So this part should remain in
Cactus for the time being.
>
> > I would prefer to have them in the client package...
>
> This was my original choice, but it "contaminated" the WebRequest
object
> as
> it is now reliant on the client package. But if it's alright by you,
then
> it's alright by me. :) I think the authentication subpackage is a good
> idea
> as well.
The WebRequest _is_ a client class. It is put in the main package
(org.apache.cactus) because this is where we put all user-friendly
classes (i.e. classes that the user is allowed to use safely in its code
- our public API in other words).
>
> Any other thoughts on the "context root" requirement in the form
> authentication? I could change the wording around and say I need the
> "login
> page" (to detect the redirect) and a "security servlet" (to do the
login,
> would allow for variations in its location if we found there to ever
be
> any). Then, you'd create a FormAuthentication object like this:
>
> theRequest.setAuthentication(
> new FormAuthentication(
> "userid",
> "password",
> "http://localhost/Sample/login.html";,
> "http://localhost/Sample/j_security_check";));
>
> The 4th argument could be optional, the default would be to assume to
> login
> page is at the root of the web app and just remove the "login.html"
and
> replace with "j_security_check" to get the login servlet.
>
I was still thinking about this one. However, I think your first
approach is fine :-)
> And finally, any comments on the AbstractHttpClient data flow heading
into
> the callGetResult method? This is the "the authentication object is
> necessary in this call so how does it get there" issue.
Yes, that's the part that is the less nice one :-) but I guess it is ok
for now. I'll commit all these changes this week end (have I said this
last week end already ! ;-)). Sorry about the latency.
Thanks
-Vincent
>
> Jason
>
> -----Original Message-----
> From: Vincent Massol [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 03, 2002 2:23 PM
> To: 'Cactus Developers List'
> Subject: RE: Adding Authentication To Cactus
>
> > -----Original Message-----
> > From: Robertson, Jason [mailto:[EMAIL PROTECTED]]
> > Sent: 28 December 2001 16:34
> > To: '[EMAIL PROTECTED]'
> > Subject: Adding Authentication To Cactus
> >
>
> [snip]
> >
> > Small Issues:
> >
> > - I didn't use java.security.Principal to hold the userId because it
> > didn't
> > seem to buy me much. This could easily be changed if necessary.
> > - Similarly, commons-httpclient has a UsernamePasswordCredentials
> object
> > which seems similar to my AbstractAuthentication Object minus the
> > configure
> > method, but I didn't get the code for it yet and can't verify
exactly
> what
> > is does.
> > - Is there a base64Encode method somewhere that I could be using
> instead
> > of
> > pasting my own into the BasicAuthentication class?
>
> There is a class called Base64.java in httpclient which does what you
> need. As a matter of fact I am considering moving Cactus to httpclient
> for the HTTP connection. I'm just not sure whether to do it before
> applying your patch or after ... :-)
>
> It seems also that HttpClient currently does not support Basic or
> Form-based authentication. I have sent an email to the commons list to
> confirm this and asked whether it would be in-scope to implement it in
> HttpClient and then just reuse that in Cactus.
>
> > - I put the Abstract & BasicAuthentication objects in the util
> package,
> > only
> > so I wouldn't have to pull any other package into WebReqeust. If
they
> > belong
> > somewhere more appropriate (and I'm betting they do), let me know.
> >
>
> As they are client side, I would prefer to have them in the client
> package. They could go in an authorization subpackage though.
>
> -Vincent
>
>
>
>
> --
> To unsubscribe, e-mail: <mailto:cactus-dev-
> [EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:cactus-dev-
> [EMAIL PROTECTED]>
>
>
> --
> To unsubscribe, e-mail: <mailto:cactus-dev-
> [EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:cactus-dev-
> [EMAIL PROTECTED]>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
