Basic and Form authhentication in the same webapp (revisited). Request for opinions

[Vincent Aumont]

Hello,

I need your opinion on a solution I found to allow a single webapp to 
support two authentication modes.

The application Im working on has two types of clients: HTML and WML. 
The controller (Struts) can forward a request to the appropriate JSP, 
depending on the clients type.
WML clients (PDAs) are limited to Basic authentication; I want to use 
FORM authentication for HTML clients. Because the Servlet 2.3 specs do 
not allow to specify more than one authentication mode in web.xml, I 
have to use 2 webapps if I want to stay compliant.
Last week I posted a solution to work around this, only to realize that 
it does not work.

I found this other solution:

1) I declare the security constraints in web.xml as usual. I set the 
authentication mode to FORM.
2) I have two custom classes: MyBasicAuthenticator and 
MyFormAuthenticator that inherit from BasicAuthenticator and 
FormAuthenticator, respectively.
3) By nature, these two classes also implement the Valve interface. I 
register them in my webapps context (in web.xml):

<Context path="/test" docBase="/home/test">
<Valve className="PortalBasicAuthenticator"/>
<Valve className="PortalFormAuthentication"/>
</Context>
4) These classes do nothing but invoke their super class it the client 
has the appropriate type:

public class MyBasicAuthenticator{

public void invoke(Request request, Response response,
ValveContext context)
throws IOException, ServletException
{
if (isWMLClient(request)) {
super.invoke(&);
} else {
context.invokeNext(request, response);
}
}
public class MyFormAuthenticator{

public void invoke(Request request, Response response,
ValveContext context)
throws IOException, ServletException
{
if (isHTMLClient(request)) {
super.invoke(&);
} else {
context.invokeNext(request, response);
}
}
Here is how it works:
- Setting the security constraints in web.xml will cause Tomact to add a 
FormAuthenticator valve in the pipeline.
- TC will never execute that particular valve because the two valves I 
have added to my context will be executed first and will take care of 
authentication.
- When a WML client makes a request, MyBasicAuthenticator traps it and 
executes Tomcat's BasicAuthenticatot code. Because I defined the 
security constraints in web.xml, the authenticator receives the right 
login info (protected urls, roles, etc.). If the user enters valid 
credentials, the form authenticator tomcat created wont be called 
because we already have a Principal. If the user provides invalid 
credentials, the user gets an error and the pipeline is interrupted. 
Therefore, the form authenticator Tomcat created wont be called either.
- Same thing for a request from an HTML client: MyFormAuthenticator will 
traps the request and take care of the authentication.

I tried it and it seems to work fine.

Can you think of any gotchas? Am I missing something obvious? Is there a 
simpler solution?

Thanks,

-Vincent.







---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]