Hi,
>thank you for the information about authorization header, form based login
>and POST method. So the authorization in the HTTP header isn't filled.
>However I ask myself from where the getRemoteUser and getAuthtype - Methode
>get the information because these methods do work and I get the correct
>username and auth form.
Basic and Form-based logon are totally separate in their logic, this is how they work:
1. Basic
Basic authentication is written into the HTTP specification. When attempting to
access a page, the web server
can determine if the permissions are insufficient, and reply with a "401 Unauthorized"
response. Then web
browser then displays that popup login dialog to the user. The browser's next attempt
to access the page
includes a "Authorization" header with the authentication type ("BASIC") and base64
encoded
username:password. The web server checks this header against some database of users,
and decides
whether or not to permit the access.
Tomcat detects the "Authorization" header and sets the username in the request object.
2. Form-based
There is no HTTP or HTML specification covering form-based logon. This is a special
feature of Tomcat (and I
assume other JSP servers, but I'm not sure). In your web.xml file you specify (under
the login-config for form-
based login) the form-logon-page and form-error-page.
If you attempt to access a page for which you don't have permission, Tomcat will
instead serve up the form-
login-page, keeping in your session the URL of the page you really want to get to.
The form-logon-page must
have a particular action (j_security_check) which Tomcat will substitute with an
appropriate URL, for internal
use. The form-logon-page must also have a j_username and j_password field.
When the form is submitted it goes to the Tomcat-defined URL where the j_username and
j_password are
extracted, and sent to the Realm configured in server.xml, for authentication and
authorization. If this fails,
Tomcat serves up the form-logon-page again (up to three times) and then finally the
form-error-page. If the
logon is successful and the user has the required roles to access the originally
desired page, that page will be
served up.
Once the login is successful, Tomcat sets the username in the session object, and on
every request transfers
this into the request object.
Hope this clarifies things, and that I haven't made any glaring errors ;)
Twylite
