RE: Servlets and BasicAuthentication

Fri, 18 Feb 2000 18:33:23 -0800 

----------------------------------------------------------------
BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
WHEN YOU POST, include all relevant version numbers, log files,
and configuration files.  Don't make us guess your problem!!!
----------------------------------------------------------------

Here's something that I've used to limit access to a directory tree........

You can add the module mod_auth_cookie to apache. I added it as a DSO. This
allows basic authentication through cookies.

ftp://ftp.kciLink.com/pub/mod_auth_cookie.c.gz

Add something like this to your apache conf file (more info in the docs with
the mod)....

 <Directory /htdocs/directory>

  AuthName Name
  AuthType Basic
  AuthUserFile userfile
  AuthCookieName CookieName

  <Limit POST GET>
   require valid-user
  </Limit>

 </Directory>

You'll also need to add a custom error document directive so that the failed
authorization goes to a login page.
ErrorDocument 401 /htdocs/login.html

You can then validate through a servlet from the login page and set the
proper cookie if the person is a valid user. The user is checked against a
database through the servlet and there is one valid user in the
AuthUserFile. If the servlet validates against the db, the cookie is set to
identify the person as the user in the AuthUserFile. I guess you could think
of the user in the AuthUserFile as a group.

Seems to work well for me. Hope this helps.

Tim

--------------------------
Tim Trentham
Web Developer
Furnitureshow.com
V: 512.478.5405 Ext. 204
F: 512.478.5437
[EMAIL PROTECTED]
--------------------------

> -----Original Message-----
> From: Stefan Mainz [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, February 17, 2000 2:53 AM
> To: Java Apache Users
> Subject: Servlets and BasicAuthentication
> 
> As we all know now we can restrict access to servlets via the
> <Location> directiy in .htaccess.
> 
> But is there something like the opposite? I would like to authorise
> a user by a servlet. As i do not want to serv ordinary 
> html-pages by a 
> servlet i would like to tell the apache server that the user is
> authenticated und may access pages in a certain realm.
> 
> In theory i would have to set some header information, but don't know
> which ones. Has anyone tried this before?
> 
> Stefan
> 


--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
Archives and Other:  <http://java.apache.org/main/mail.html>
Problems?:           [EMAIL PROTECTED]

Reply via email to