Can I do HTTP authenticaton in my servlet?

2002-03-14 Thread Zhidong Yu 

I am using Tomcat as the servlet container. What I want to do is write a
servlet which do HTTP authentication without Tomcat's interacting. Is it
possible?
 
In detail, to enable HTTP authentication (basic realm), you should
configure the web.xml in your webapp, and configure the
username/password/roll in %TOMCAT_HOME%/conf/tomcat-user.xml. But I want
to use my ACL in my servlet, so I would process any of user requests
myself, and determine whether it need authentication, then return a
challenge response to client, and so on.
 
A typical scenario is:
 
client:  send a GET /myapp/abc.xml HTTP/1.1 , here myapp is my webapp,
and abc.xml is retrieved by servlet from some data source  where
authentication is needed.
servlet: find no Authorization header is available, so return a HTTP 401
response to challenge client for username/password
client: send the GET request again with Authorization  header
servlet: try to access the data source, but the username/password have
no right to access the abc.xml. so it return a HTTP 401 again
client: send the GET with correct username/password
servlet: get the abc.xml and return to client.

--zhidong

--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

Re: Can I do HTTP authenticaton in my servlet?

2002-03-14 Thread Craig R. McClanahan 

This kind of question is better addressed to the TOMCAT-USER list, since
it's about how to *use* Tomcat instead of how to *develop* Tomcat.

On Thu, 14 Mar 2002, Zhidong Yu wrote:

 Date: Thu, 14 Mar 2002 20:04:59 -0800
 From: Zhidong Yu [EMAIL PROTECTED]
 Reply-To: Tomcat Developers List [EMAIL PROTECTED]
 To: Tomcat Developers List [EMAIL PROTECTED]
 Subject: Can I do HTTP authenticaton in my servlet?

 I am using Tomcat as the servlet container. What I want to do is write a
 servlet which do HTTP authentication without Tomcat's interacting. Is it
 possible?

 In detail, to enable HTTP authentication (basic realm), you should
 configure the web.xml in your webapp, and configure the
 username/password/roll in %TOMCAT_HOME%/conf/tomcat-user.xml. But I want
 to use my ACL in my servlet, so I would process any of user requests
 myself, and determine whether it need authentication, then return a
 challenge response to client, and so on.

 A typical scenario is:

 client:  send a GET /myapp/abc.xml HTTP/1.1 , here myapp is my webapp,
 and abc.xml is retrieved by servlet from some data source  where
 authentication is needed.
 servlet: find no Authorization header is available, so return a HTTP 401
 response to challenge client for username/password
 client: send the GET request again with Authorization  header
 servlet: try to access the data source, but the username/password have
 no right to access the abc.xml. so it return a HTTP 401 again
 client: send the GET with correct username/password
 servlet: get the abc.xml and return to client.


With Tomcat 4, you can easily do all of the above with a Servlet, but you
can also use a Filter, and not even have to mess with the application
itself.  Take a look at how Tomcat's Authenticator valves work (package
org.apache.catalina.authenticator) for ideas about how to do the HTTP
interactions.

Of course, the only thing on your list that is non-standard is the idea of
challenging the user for a different set of credentials if they don't have
the right ones for a particular resource.  That kind of goes against the
grain of what container managed security is all about (authentication and
access control are two discrete concepts), but it should be possible to
make it work.

You will, of course, need to avoid setting up any security-constraint
elements in your web.xml file -- that will keep Tomcat's security software
completely out of your way.

 --zhidong


Craig


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]