Hi all,
We are working on a web security product. This product currently
supports IIS, NSES and apache web servers We do custom
authentication/authorization using our own database (Oracle/LDAP).
We have ISAPI, NSAPI and apache plugins for respective web servers.
The control comes to the plugin for each of the stages in a web
request.
We hook in our code to do the custom authentication.
The things to note here is we do not use any HTML page for doing
authentication. We use HTTP Basic authentication which means we are
sending "401 response" from the plugin. For Certificate authentication
we are using HTTPS. We are supporting combination of basic and
certificate
authentication. What I mean is simple basic, basic or certificate ,
basic and
certificate. For eg if it is basic or certificate the user need to give
either basic
credentials or certificate credentials.
Another thing is, we are not doing any content management, All the web
pages are
static. The only job of plugin is to do authentication and
authorization. The "plugin"
gets automatically started when the webserver is started and will be
alive for the
duration of webserver. Plugins have callback methods which goes to each
stage
depending on the return code of previous stage. So for eg if plugin
returns true
for authentication stage(stages differ based on webserver type)
Webserver has a stage wherein it will check the webpage path given maps
to a physical directory in the webserver
Similar things We want to do using Servlets.
My questions are...
1) Are there such stages in servlets
2) How can the control come back to servlet for the same request.
For eg the user is requesting page 1.html. servlet is sending "401",
user is giving user id /password. Then it is validated against database
using a bean or directly from servlet, If it is successful, the static
page
1.html should be displayed, if not again 401 should be sent from
servlet which means control should come to servlet depending on
HTTP return code
3)Should I need to do a explicit redirection for the page to get
displayed,
if so won't the request again go thru the servelt, I mean won't it be an
infinite loop
4) whether the servlet can check whether the HTML page that we are
accessing really exists in the physical path
5) would like to use all these webservers for servlet. Can I configiure
all these webservers to call the servlet automatically. I have tried
only
with Java webserver, Couldn't see any option in IIS 4.0 or NSES
6) In servlet it should be possible to get the URI for the static page
which is
given by the client and should be able to check for the physical path
automatically.
for eg if client accesses 1.html, it doesnt call the servlet explicitly
and the servlet
should be able to find out the physical path of 1.html from the
URI/Virtual directory for 1.html. 1.html will
be under some virtual directory in the webserver.
Main thing to note here is there is no get/post happening here, nor any
submit for user
authentication and the servlet does not write anything on the client,
the pages are static.
ie When the client requests for a page say 1.html(this will be static
page), the servlet
authenticates it and displays the page as it is. Servlet only controls
the access.
I would appreciate any help on this.
Thanks
Parvathi
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
