-----------------------------
Please read the FAQ!
<http://java.apache.org/faq/>
-----------------------------
Mark E. Ashton wrote:
> -----------------------------
> Please read the FAQ!
> <http://java.apache.org/faq/>
> -----------------------------
>
> I've been trying to figure out if apache is capable of doing this, and I've
> been unable to find anything in the documentation on apache.org. Basically, I
> need to be able to have apache perform user authentication as normal, but then
> invoke a servlet with the username and password as part of the
> HttpServletRequest. The servlet would then store some pertinent information in
> the current HttpSession object. If the HttpSession expires, apache should ask
> the user to login again. Is this possible? I've seen similar functionality in
> sun's webaccess (for e-mail, not the personal webaccess browser) product. Any
> ideas or pointers would be greatly appreciated. Thanks!
>
> -Mark
>
Using Apache authentication with servlets is pretty easy -- use a <location>
directive in your httpd.conf file, and set up the normal sorts of authentication,
using whatever Apache module you want. When you do this, you receive the
logged-in username as the value of request.getRemoteUser(), but you do not get the
password. If you trust the mechanism used by the web server to authenticate, this
should not be a problem.
You can force a re-authentication at the web server level at any time (such as
when you recognize that the session has timed out), by calling this instead of
creating a response:
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
but it is not clear to me now you will be able to recognize the difference (on the
next request) between a remote user that was authorized earlier, and one that was
just re-authorized. I guess you just assume that if another request comes in,
then the user must have successfully re-authorized themselves.
For my apps, I've tended to implement authentication within my servlets
themselves, rather than relying on the web server to do it. Besides keeping all
the application logic together, this is also *slightly* more secure and better
performing, because the cleartext username and password only cross the network
once (the form submit of the login screen) versus once per request (in an HTTP
header when using Basic authentication). The security part of this is probably
not an issue on an intranet, or an SSL connection across the Internet, but the
extra bytes still add up.
Craig McClanahan
--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://java.apache.org/main/mail.html/>
Problems?: [EMAIL PROTECTED]
