I am not sure the best way to do this but I know that it is possible
since Netegrity works has a plug-in just as you are describing for
Weblogic, which is a pure Java web and app server. They use a Weblogic
LDAP authentication realm. You can check the docs at
http://www.weblogic.com/docs51/admindocs/ldap.html
You could also look at using the web application descriptors in web.xml.
That is more vendor neutral. There is a bunch of stuff there but you
will need to read it yourself:
http://java.sun.com/products/servlet/2.2/
Alex Amies
-----Original Message-----
From: Parvathi S [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 05, 2001 5:21 AM
To: [EMAIL PROTECTED]
Subject: Can servlet be used as a webserver plugin??
Hi all,
We are working on a web security product. This product currently
supports IIS, NSES and apache web servers We do custom
authentication/authorization using our own database (Oracle/LDAP).
We have ISAPI, NSAPI and apache plugins for respective web servers.
The control comes to the plugin for each of the stages in a web
request.
We hook in our code to do the custom authentication.
The things to note here is we do not use any HTML page for doing
authentication. We use HTTP Basic authentication which means we are
sending "401 response" from the plugin. For Certificate authentication
we are using HTTPS. We are supporting combination of basic and
certificate
authentication. What I mean is simple basic, basic or certificate ,
basic and
certificate. For eg if it is basic or certificate the user need to give
either basic
credentials or certificate credentials.
Another thing is, we are not doing any content management, All the web
pages are
static. The only job of plugin is to do authentication and
authorization. The "plugin"
gets automatically started when the webserver is started and will be
alive for the
duration of webserver. Plugins have callback methods which goes to each
stage
depending on the return code of previous stage. So for eg if plugin
returns true
for authentication stage(stages differ based on webserver type)
Webserver has a stage wherein it will check the webpage path given maps
to a physical directory in the webserver
Similar things We want to do using Servlets.
My questions are...
1) Are there such stages in servlets
2) How can the control come back to servlet for the same request.
For eg the user is requesting page 1.html. servlet is sending "401",
user is giving user id /password. Then it is validated against database
using a bean or directly from servlet, If it is successful, the static
page
1.html should be displayed, if not again 401 should be sent from
servlet which means control should come to servlet depending on
HTTP return code
3)Should I need to do a explicit redirection for the page to get
displayed,
if so won't the request again go thru the servelt, I mean won't it be an
infinite loop
4) whether the servlet can check whether the HTML page that we are
accessing really exists in the physical path
5) would like to use all these webservers for servlet. Can I configiure
all these webservers to call the servlet automatically. I have tried
only
with Java webserver, Couldn't see any option in IIS 4.0 or NSES
6) In servlet it should be possible to get the URI for the static page
which is
given by the client and should be able to check for the physical path
automatically.
for eg if client accesses 1.html, it doesnt call the servlet explicitly
and the servlet
should be able to find out the physical path of 1.html from the
URI/Virtual directory for 1.html. 1.html will
be under some virtual directory in the webserver.
Main thing to note here is there is no get/post happening here, nor any
submit for user
authentication and the servlet does not write anything on the client,
the pages are static.
ie When the client requests for a page say 1.html(this will be static
page), the servlet
authenticates it and displays the page as it is. Servlet only controls
the access.
I would appreciate any help on this.
Thanks
Parvathi
________________________________________________________________________
___
To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
