After a few requests I decided to post the example the group.
This is not how we used it but it is a good place to start. Note the
hashtable of valid users is created in the init method. I created a
BaseServlet that all servlets extend, and an interface called Authenticated
(No methods, just an empty interface). If the Authenticated Interface is
implemented only valid users are allowed to view the servlet. I also
maintained the list of users in a database and instead of adding each user
to the Hashtable in the init method I make a call to a method that retrieves
all users from the database and adds them to the Hashtable.
---------------------------------------- Code Starts
Here --------------------------------------------------------------
import java.io.*;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class DemoServlet extends HttpServlet
Hashtable users = new Hashtable();
public void init(ServletConfig config) throws ServletException {
super.init(config);
users.put("Wallace:cheese", "allowed");
users.put("Gromit:sheepnapper", "allowed");
users.put("Penguin:evil", "allowed");
}
public void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
res.setContentType("text/plain");
PrintWriter out = res.getWriter();
// Get Authorization header
String auth = req.getHeader("Authorization");
// Do we allow that user?
if (!allowUser(auth)) {
// Not allowed, so report he's unauthorized
res.setHeader("WWW-Authenticate", "BASIC realm=\"users\"");
res.sendError(res.SC_UNAUTHORIZED);
// Could offer to add him to the allowed user list
}
else {
// Allowed, so show him the secret stuff
out.println("Top-secret stuff");
}
}
// This method checks the user information sent in the Authorization
// header against the database of users maintained in the users Hashtable.
protected boolean allowUser(String auth) throws IOException {
if (auth == null) return false; // no auth
if (!auth.toUpperCase().startsWith("BASIC "))
return false; // we only do BASIC
// Get encoded user and password, comes after "BASIC "
String userpassEncoded = auth.substring(6);
// Decode it, using any base 64 decoder
sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder();
String userpassDecoded = new String(dec.decodeBuffer(userpassEncoded));
// Check our user list to see if that user and password are "allowed"
if ("allowed".equals(users.get(userpassDecoded)))
return true;
else
return false;
}
}
----------------------------------------------------------------------------
-------------------------------------------
-----Original Message-----
From: Youngho Cho <[EMAIL PROTECTED]>
To: Java Apache Users <[EMAIL PROTECTED]>
Date: Wednesday, May 19, 1999 4:30 PM
Subject: Re: Re:Re: Can I authenticate users in JServ?
Hi Shaun,
It looks the right one what I am looking for.
Could you send me some sample code to add in my servlet code??
Thanks,
Youngho Cho
----- -----
: DD - Shaun Collopy <[EMAIL PROTECTED]>
: Java Apache Users <[EMAIL PROTECTED]>
¥: 1999 5 19 1:27
: Re: Re:Re: Can I authenticate users in JServ?
>We got around this by implementing application level security. Using
>Servlets you have access to the standard browser authentication and every
>servlet that implements the WebAuthentication interface that we created
>requires a valid user. We store the username password and access
privelages
>in a JDBC compatible database, making it much easier to manage than
standard
>Apache impelementation.
>
>If you want some sample code to add to your servlets then let me know and I
>will mail it to you.
>
>Regards,
>Shaun Collopy
>Dow Digital
>http://www.dowdigital.com.au
>
>-----Original Message-----
>From: Steve Nguyen <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>;
>[EMAIL PROTECTED]
><[EMAIL PROTECTED]>
>Date: Wednesday, May 19, 1999 11:36 AM
>Subject: Re:Re: Can I authenticate users in JServ?
>
>
>>I have not try this, but seems a bit troublesome as most of ISPs will not
>allow you to add/change their httpd.conf (except virtual server or
dedicated
>which are very expensive). Will try with .htaccess today;
>>
>>Steve Nguyen
>>[EMAIL PROTECTED]
>>Professional in Mail & Java(tm) for ISPs
>>KBMail Professional Software & Service Provider
>>http://www.kbmail.com
>>
>>
>>
>>-------- Original message --------
>>Return-Path: <[EMAIL PROTECTED]>
>>Received: from cgi.clearink.com (cgi.clearink.com [205.227.188.8])
>> by bizserv.biz1.net (8.9.2/8.9.2) with SMTP id WAA04317
>> for <[EMAIL PROTECTED]>; Tue, 18 May 1999 22:26:46 -0500 (CDT)
>>Received: from base2inc.com by cgi.clearink.com with SMTP; Tue, 18 May
>> 1999 20:25:55 -0700
>>Message-ID: <03c801bea1a9$12692c20$[EMAIL PROTECTED]>
>>From: "Frank Morton" <[EMAIL PROTECTED]>
>>To: "Java Apache Users" <[EMAIL PROTECTED]>
>>References: <[EMAIL PROTECTED]>
>>Subject: Re: Can I authenticate users in JServ?
>>Date: Tue, 18 May 1999 22:38:33 -0500
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Mailer: Microsoft Outlook Express 5.00.2314.1300
>>X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
>>Reply-To: "Java Apache Users" <[EMAIL PROTECTED]>
>>Sender: <[EMAIL PROTECTED]>
>>Precedence: Bulk
>>List-Software: LetterRip Pro 3.0.5b5 by Fog City Software, Inc.
>>List-Subscribe: <mailto:[EMAIL PROTECTED]>
>>List-Digest: <mailto:[EMAIL PROTECTED]>
>>List-Unsubscribe: <mailto:[EMAIL PROTECTED]>
>>----------------------------------
>>
>>> #1. is to read the FAQ, the .htacess methods are well covered in there.
>>>
>>> #2. is to use a servlet framework such as Dash
>>> <http://www.working-dogs.com/dash/> that make it easy to implement a
>>> database backed security model.
>>
>>
>>I do mine by inserting something like the following in httpd.conf:
>>
>><Location /servlets/<whateverzone>>
>>Options None
>>AllowOverride AuthConfig
>>AuthUserFile /usr/local/apache/security/<whateverzone>/users
>>AuthGroupFile /usr/local/apache/sercurity/<whateverzone>/groups
>>AuthName "Secure Servlets In <whateverzone>"
>>AuthType Basic
>>require valid-user
>></Location>
>>
>>I thought that .htaccess didn't work? Anyway, the above works for me.
>>
>>Note: We need to all thank jon for being so responsive, even with the
>>constant frustration of referring people to the FAQ. Thanks!
>>
>>Frank
>>[EMAIL PROTECTED]
>>
>>
>>
>>
>>
>>-- --------------------------------------------------------------
>>To subscribe: [EMAIL PROTECTED]
>>To unsubscribe: [EMAIL PROTECTED]
>>READ THE FAQ!!!! <http://java.apache.org/faq/>
>>Archives and Other: <http://java.apache.org/main/mail.html/>
>>Problems?: [EMAIL PROTECTED]
>>
>>
>>
>>
>>-- --------------------------------------------------------------
>>To subscribe: [EMAIL PROTECTED]
>>To unsubscribe: [EMAIL PROTECTED]
>>READ THE FAQ!!!! <http://java.apache.org/faq/>
>>Archives and Other: <http://java.apache.org/main/mail.html/>
>>Problems?: [EMAIL PROTECTED]
>>
>>
>
>
>
>-- --------------------------------------------------------------
>To subscribe: [EMAIL PROTECTED]
>To unsubscribe: [EMAIL PROTECTED]
>READ THE FAQ!!!! <http://java.apache.org/faq/>
>Archives and Other: <http://java.apache.org/main/mail.html/>
>Problems?: [EMAIL PROTECTED]
N.n+j!z�'+-x� �d{.n+j!z��~X
+)v,r��A@B�mj!z
܆+ޱ:^�mj!zfXm_Ϯzk#|(H &
-- --------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
READ THE FAQ!!!! <http://java.apache.org/faq/>
Archives and Other: <http://java.apache.org/main/mail.html/>
Problems?: [EMAIL PROTECTED]
