Re: Question about BASIC Authentication
Christopher, Great news (for me), seems the problem was that because I was using relative linking and sending the credentials to log the user in to SOLR the links on the landing page were being recreated with the same credentials in them so I just put in direct link locations in and and for the most part the problem is solved. It also is more secure this way because turns out I was revealing the passwords that I was trying to keep hidden. Thanks for the help! ~Matt Christopher, I may have found a problem in the SOLR header.jsp file that I am using in navigation. The header.jsp file might be trying to send headers, unfortunately I am not in the same location as the server so I will have to check this out tomorrow. I'll keep you posted, ~Matt -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew, On 6/30/2010 8:20 PM, Matthew Mauriello wrote: The behavior seems rather strange to me in fact, I've seen other websites run on what looks to be BASIC Authentication without popping these browser messages when leaving secured sections. Most websites use HTTP AUTH consistently, at least for a particular URL prefix. See the http://user:passw...@website.com/SOLR is only used once and it might actually be http://user:passw...@website.com/SOLR/ I have to look into this. I feel like the authentication cookie is being created for the user and then being forwarded to every page the user visits after that. I am hoping to find some way of preventing this behavior. Well, for starters, what web browser are you using? Can you give me a sample URL that I can use to play with a test version of your webapp? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwr76cACgkQ9CaO5/Lv0PACLQCgjmn6kpeN1L3uQPuxpUEbHT8C W/UAn1iaKySqcMfZNuttx7MjHYr6EqX4 =Yxdn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about BASIC Authentication
Christopher, The behavior seems rather strange to me in fact, I've seen other websites run on what looks to be BASIC Authentication without popping these browser messages when leaving secured sections. See the http://user:passw...@website.com/SOLR is only used once and it might actually be http://user:passw...@website.com/SOLR/ I have to look into this. I feel like the authentication cookie is being created for the user and then being forwarded to every page the user visits after that. I am hoping to find some way of preventing this behavior. ~Matt -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew, On 6/30/2010 12:07 AM, Matthew Mauriello wrote: I have two directories in 'webapps' other than ROOT. ROOT redirects users to webappA. WebappA does not use tomcat's basic authentication but if you log into the application there are links inside it that sends the user to the SOLR webapp via http://user:passw...@website.com/SOLR. Ok. SOLR uses basic authentication. The problem is once the browser logs into SOLR the error message pops up when navigating back to WebappA. Where is webappA deployed? /webappA? Generally, when the server requests BASIC authentication, the client will then provide credentials to the server for the original URL plus any URLs that are under it. I wonder if you used http://user:passw...@website.com/SOLR/; (note the trailing slash) if you might avoid this behavior. I think the browser sees http://user:passw...@website.com/SOLR, removes the SOLR from the end (because it thinks that's the name of the resource), and then anything starting with http://website.com/ will then get the HTTP AUTH headers. I understand this isn't the greatest setup but other than the constant pop up message after logging into SOLR it meets the needs of the very few users on the website. It's odd that your web browser complains about this... it implies that the browser pre-fetches the URL /without/ the authentication header, just to see if the server replies with a request-for-authentication header. That's actually kind of a nice security feature. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwrUfoACgkQ9CaO5/Lv0PAETACeONnx4nYQFXLwud13KCb9Nu0Z GkkAnj28Iz5yxZaZzJGOi7sZThMcZY62 =50Ze -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about BASIC Authentication
Christopher, First off, I really appreciate your responses. Unfortunately I do not have a link that I can send out. I generally use Mozilla Firefox, Microsoft recently implemented a patch that prevents http://user:passw...@website.com/SOLR/ from working. So on this consistent implementation method, how do websites grant access to public sites and secure certain sections? Or is this a problem because I have two separate applications deployed and I am trying to navigate between both? Thanks again, ~Matt -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew, On 6/30/2010 8:20 PM, Matthew Mauriello wrote: The behavior seems rather strange to me in fact, I've seen other websites run on what looks to be BASIC Authentication without popping these browser messages when leaving secured sections. Most websites use HTTP AUTH consistently, at least for a particular URL prefix. See the http://user:passw...@website.com/SOLR is only used once and it might actually be http://user:passw...@website.com/SOLR/ I have to look into this. I feel like the authentication cookie is being created for the user and then being forwarded to every page the user visits after that. I am hoping to find some way of preventing this behavior. Well, for starters, what web browser are you using? Can you give me a sample URL that I can use to play with a test version of your webapp? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwr76cACgkQ9CaO5/Lv0PACLQCgjmn6kpeN1L3uQPuxpUEbHT8C W/UAn1iaKySqcMfZNuttx7MjHYr6EqX4 =Yxdn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about BASIC Authentication
Christopher, I may have found a problem in the SOLR header.jsp file that I am using in navigation. The header.jsp file might be trying to send headers, unfortunately I am not in the same location as the server so I will have to check this out tomorrow. I'll keep you posted, ~Matt -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matthew, On 6/30/2010 8:20 PM, Matthew Mauriello wrote: The behavior seems rather strange to me in fact, I've seen other websites run on what looks to be BASIC Authentication without popping these browser messages when leaving secured sections. Most websites use HTTP AUTH consistently, at least for a particular URL prefix. See the http://user:passw...@website.com/SOLR is only used once and it might actually be http://user:passw...@website.com/SOLR/ I have to look into this. I feel like the authentication cookie is being created for the user and then being forwarded to every page the user visits after that. I am hoping to find some way of preventing this behavior. Well, for starters, what web browser are you using? Can you give me a sample URL that I can use to play with a test version of your webapp? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwr76cACgkQ9CaO5/Lv0PACLQCgjmn6kpeN1L3uQPuxpUEbHT8C W/UAn1iaKySqcMfZNuttx7MjHYr6EqX4 =Yxdn -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about BASIC Authentication
Christopher, Thanks for the response. I have two directories in 'webapps' other than ROOT. ROOT redirects users to webappA. WebappA does not use tomcat's basic authentication but if you log into the application there are links inside it that sends the user to the SOLR webapp via http://user:passw...@website.com/SOLR. SOLR uses basic authentication. The problem is once the browser logs into SOLR the error message pops up when navigating back to WebappA. I understand this isn't the greatest setup but other than the constant pop up message after logging into SOLR it meets the needs of the very few users on the website. Hope this clears things up. Thanks, ~Matt -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt, On 6/29/2010 5:57 PM, Matthew Mauriello wrote: I am having a minor problem related to Tomcat's BASIC Authentication setup. A user access my custom web application in the 'webapps' folder which is accessible to everyone in a separate sub folder. This already smells funny. Can you give us the details of your directory structure, and what contexts actually map to what directories on the disk? I have another 'webapps' sub folder for SOLR which is secured with BASIC Authentication. I have my custom web application log the user into the SOLR application when the user wants to access it. So, webapp A contacts SOLR using HTTP BASIC AUTH, provides credentials, and then... what? The problem I am having is that when the user navigates back to the custom application folder from the SOLR application folder they get prompted with the following message that I would like to disable: - You are about to log in to the site greygoose with the username admin, but the website does not require authentication. This may be an attempt to trick you. Is greygoose the site you want to visit? - I am not sure if this is a browser setting that needs to be changed or if there is a Tomcat setting I can implement to kill this error message, but any help would be appreciated. It sounds like your webapp isn't doing the authentication: instead, you are somehow tricking the browser into doing the authentication instead. Do you ever intend for the client (the browser) to authenticate? Or, is webapp A supposed to use HTTP BASIC AUTH against SOLR and nothing else? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwqqgAACgkQ9CaO5/Lv0PBz2wCgnxIfadjNeeIeoAWsTLa1sWQK Q7MAn3S6k5tJLbNL5Am3V7hjzgpchebc =MOWu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org