Re: Optional authentication
Bill Barker wrote: You haven't missed anything. Tomcat simply doesn't try to authenticate a user if authentication isn't required. Simplest and most portable is to create a Filter that is configured as the first filter, and takes an auth-method init param to tell it what to use, and then wraps the request in a HttpServletWrapper that overrided getUserPrincipal before sending it on it's way. Other options include extending one or more of Tomcat's Authenticators, and configuring your app to use your Authenticator rather than Tomcat's. Thanks for your reply. It seems like a reasonable way to do it indeed. I'm also looking at using JGuard perhaps http://jguard.net/. Regards, Bruno. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Optional authentication
Hello, I would like to be able to require authentication optionally and make my servlets or JSPs behave differently depending on which Principals they get. For example, I'd like a GET to be able to return a 200 status and not 401, even if the user has not been authenticated. Presumably, this is similar to what happens on web sites that say in a corner You're not logged in, but still display some information (e.g. forums). I've managed to set up authentication using either HTTP Basic or SSL client certificates. However, I'm not sure if there are mechanisms to let the servlet handle the roles and restrictions manually, for example using request.getUserPrincipal(). When I use this type of configuration: security-constraint web-resource-collection web-resource-nameTest/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config the authentication works, but removing the auth-constraint / element removes any authentication challenge, even if, in this case, a recognised SSL client certificate is used (whether using clientAuth=true or clientAuth=want). I'd also like the solution not to rely on request.getAttribute(javax.servlet.request.X509Certificate), as I'd like to be able to keep the abstraction provided by auth-method /, etc. Any suggestions? I might have missed something in the documentation. Best wishes, Bruno. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Optional authentication
Bruno Harbulot [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello, I would like to be able to require authentication optionally and make my servlets or JSPs behave differently depending on which Principals they get. For example, I'd like a GET to be able to return a 200 status and not 401, even if the user has not been authenticated. Presumably, this is similar to what happens on web sites that say in a corner You're not logged in, but still display some information (e.g. forums). I've managed to set up authentication using either HTTP Basic or SSL client certificates. However, I'm not sure if there are mechanisms to let the servlet handle the roles and restrictions manually, for example using request.getUserPrincipal(). When I use this type of configuration: security-constraint web-resource-collection web-resource-nameTest/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config the authentication works, but removing the auth-constraint / element removes any authentication challenge, even if, in this case, a recognised SSL client certificate is used (whether using clientAuth=true or clientAuth=want). I'd also like the solution not to rely on request.getAttribute(javax.servlet.request.X509Certificate), as I'd like to be able to keep the abstraction provided by auth-method /, etc. Any suggestions? I might have missed something in the documentation. You haven't missed anything. Tomcat simply doesn't try to authenticate a user if authentication isn't required. Simplest and most portable is to create a Filter that is configured as the first filter, and takes an auth-method init param to tell it what to use, and then wraps the request in a HttpServletWrapper that overrided getUserPrincipal before sending it on it's way. Other options include extending one or more of Tomcat's Authenticators, and configuring your app to use your Authenticator rather than Tomcat's. Best wishes, Bruno. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]