httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ion Larrañaga <ila...@s21sec.com>
Subject RE: [users@httpd] Apache Basic Authorization and Java
Date Thu, 29 Aug 2002 13:20:19 GMT

Hi!

Then I think my proposal could work if instead of protecting / you protected
the servlet path. Even if you use Tomcat, Apache still processes your
servlet request, and I would bet (I haven't tried it myself) that you could
use:

<Location /your/servlet/url>
AuthType Basic
AuthName Login
Require valid-user
AuthUserFile "C:/Programme/Apache/Apache/conf/mod_auth.users"
</Location>

This way, your user would:

- Connect to http://server.domain.de (No login request here because
index.html not protected)
- Download your applet (Again, no login request because /classes/ice not
protected)
- The applet would make the request http://server.domain.de/your/servlet/url
. Before being sent to Tomcat, Apache would process the request and would
see that the location is protected. Then it would request user
authentication. So, the login would be requested here and only here. Once
the user sends a valid login/password, the request would pass to Tomcat.

This may have some problems:

- Your index.html page should be only a welcome page and download of the
applet. No private information should be displayed here as this page is not
protected.

- Same for the applet before making the request to the protected page.
Anyone will be able to download this applet, so it shouldn't contain private
information.

- I don't know if Apache-Tomcat with authentication in Apache would work as
I think (any comment from someone in the list?). If it doesn't, you could
make Tomcat authenticate the user, not Apache.

If this is not acceptable for you, there are other solutions. For instance,
index.html could be another servlet that made the authentication itself (not
relying in Apache or Tomcat) and generated a session that would be passed to
the applet so that it could demonstrate /your/servlet/url that it has
authenticated.

I hope I have helped you with any of these ones, or maybe given you any
ideas about how you can do it.

   Ion Larrañaga



-----Mensaje original-----
De: Skladovs, Victor [mailto:Skladov@his.de]
Enviado el: jueves, 29 de agosto de 2002 14:46
Para: users@httpd.apache.org
Asunto: AW: [users@httpd] Apache Basic Authorization and Java


Hi, Ion!

You've understood almost right.
1. /index.html (ROOT) is protected.
2. all my appplets and client - classes lie in /classes/ice
3. my servlets lie NOT under Apache, but under Tomcats Webapps
directory.
(Tomcat\webapps\myproject\WEB-INF\classes). Apache communicates with
Tomcat through the module mod_jk.

The Hard Disc structure looks as following:
C:\ice_wr\APACHE ROOT\html
C:\ice_wr\APACHE ROOT\classes\ice
C:\Apache\APACHE
C:\Apache\TOMCAT

What do I do:
1. I call my server:
http://server.domain.de

The first dialog (from Apache)is being opened.

2. From a HTML-Site(lies in C:\ice_wr\APACHE ROOT\html) I try to load my
applet, which lie in C:\ice_wr\APACHE ROOT\classes\ice. From this applet
I call my servlet that lies in
C:\Apache\TOMCAT\webapps\myproject\WEB-INF\classes. In this point I've
got the second dialog.

Any ideas?

Viktor

-----Ursprüngliche Nachricht-----
Von: Ion Larrañaga [mailto:ilarra@s21sec.com]
Gesendet: Donnerstag, 29. August 2002 14:27
An: users@httpd.apache.org
Betreff: RE: [users@httpd] Apache Basic Authorization and Java



Hi,

I'll tell you what I understood from your previous mails, maybe I'm
wrong.

I think that you want a user to connect to a web page (for instance,
/index.html) which requires authentication. After the user has given a
valid
login and password, an applet is downloaded from /classes/ice and,
during
applet execution, it connects to another protected web page (for
instance,
/application/servlet.html) which is served by Tomcat.

So your problem would be that the user has to provide login and password
twice: once when downloading index.html and the other one when the
applet
tries to connect to /application/servlet.html. Is this correct?

If I'm right, I think you could:

  - Leave unprotected both /index.html and /classes/ice
  - Protect /application/servlet.html

Of course, that would only work if the main page and the applet didn't
contain any critical information before connecting to the servlet.

Maybe I didn't understand your application. If that's the case, could
you
explain it in more detail?

   Ion Larrañaga


-----Mensaje original-----
De: Skladovs, Victor [mailto:Skladov@his.de]
Enviado el: jueves, 29 de agosto de 2002 13:56
Para: users@httpd.apache.org
Asunto: AW: [users@httpd] Apache Basic Authorization and Java


Hi, Ion!

I've already tried out that you've proposed. It failed. Reason: I can
read data from Http (for example, request.getRemoteUser()) ONLY if I
protect root.
In my httpd.conf:

<Location />
AuthType Basic
AuthName Login
Require valid-user
AuthUserFile "C:/Programme/Apache/Apache/conf/mod_auth.users"
</Location>

The problem appears when I load my applets which lie in /classes/ice.
Then I changed my httpd.conf to

<Location /classes/ice>
AuthType Basic
AuthName Login
Require valid-user
AuthUserFile "C:/Programme/Apache/Apache/conf/mod_auth.users"
</Location>

Yes, I've got the auth. dialog only once then, but user and password are
being not forwarded further. Why? What am I doing wrong?

Thanx,
Viktor


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message