Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
From: =?iso-8859-1?Q?Ion_Larra=F1aga?= <ilarra@s21sec.com>
To: <users@httpd.apache.org>
Date: Thu, 29 Aug 2002 14:26:56 +0200
Message-ID: <KEEKKHHAHKHEHDDKAAPDEEBMCDAA.ilarra@s21sec.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
In-Reply-To: <E8AEFF3401E82E4699359F1EBBED6A21065DAC@exchange.his.de>
Importance: Normal
Subject: RE: [users@httpd] Apache Basic Authorization and Java


Hi,

I'll tell you what I understood from your previous mails, maybe I'm wrong.

I think that you want a user to connect to a web page (for instance,
/index.html) which requires authentication. After the user has given a valid
login and password, an applet is downloaded from /classes/ice and, during
applet execution, it connects to another protected web page (for instance,
/application/servlet.html) which is served by Tomcat.

So your problem would be that the user has to provide login and password
twice: once when downloading index.html and the other one when the applet
tries to connect to /application/servlet.html. Is this correct?

If I'm right, I think you could:

  - Leave unprotected both /index.html and /classes/ice
  - Protect /application/servlet.html

Of course, that would only work if the main page and the applet didn't
contain any critical information before connecting to the servlet.

Maybe I didn't understand your application. If that's the case, could you
explain it in more detail?

   Ion Larra�aga


-----Mensaje original-----
De: Skladovs, Victor [mailto:Skladov@his.de]
Enviado el: jueves, 29 de agosto de 2002 13:56
Para: users@httpd.apache.org
Asunto: AW: [users@httpd] Apache Basic Authorization and Java


Hi, Ion!

I've already tried out that you've proposed. It failed. Reason: I can
read data from Http (for example, request.getRemoteUser()) ONLY if I
protect root.
In my httpd.conf:

<Location />
AuthType Basic
AuthName Login
Require valid-user
AuthUserFile "C:/Programme/Apache/Apache/conf/mod_auth.users"
</Location>

The problem appears when I load my applets which lie in /classes/ice.
Then I changed my httpd.conf to

<Location /classes/ice>
AuthType Basic
AuthName Login
Require valid-user
AuthUserFile "C:/Programme/Apache/Apache/conf/mod_auth.users"
</Location>

Yes, I've got the auth. dialog only once then, but user and password are
being not forwarded further. Why? What am I doing wrong?

Thanx,
Viktor

-----Urspr�ngliche Nachricht-----
Von: Ion Larra�aga [mailto:ilarra@s21sec.com]
Gesendet: Donnerstag, 29. August 2002 13:20
An: users@httpd.apache.org
Betreff: RE: [users@httpd] Apache Basic Authorization and Java


It's not good hardcoding users and passwords in Java bytecode. There are
several decompilers available that can be used to recover the source
code,
and with it, your hardcoded login and password. I think the best way to
do
what you want is to create a separate unprotected web page that sends
the
applet. It then connects to the protected pages, thus requiring
authentication only once (as only the applet requests protected pages).
Still, I don't know if this is acceptable for your application.

I just want to remark that you should never hardcode logins and
passwords in
your Java applications or applets.

Hope it helps,

   Ion Larra�aga


-----Mensaje original-----
De: Boyle Owen [mailto:Owen.Boyle@swx.com]
Enviado el: jueves, 29 de agosto de 2002 12:57
Para: users@httpd.apache.org
Asunto: RE: [users@httpd] Apache Basic Authorization and Java


I don't know how to do this. The password is not available as a CGI
variable
so I don't think there is a way to capture it... I was only thinking to
hardcode a special user/pass pair into the java client (since the client
is
delivered as byte-code, no-one can read it...)

Rgds,

Owen Boyle

>-----Original Message-----
>From: Skladovs, Victor [mailto:Skladov@his.de]
>Sent: Donnerstag, 29. August 2002 12:32
>To: users@httpd.apache.org
>Subject: AW: [users@httpd] Apache Basic Authorization and Java
>
>
>Thanks for mail!
>
>Is it possible to make the following: to read the user and the password
>from the Http in Client and to forward this information further before
>opening a connection to servlet?
>How can I access the Apache Http from a client? Is it still "alive"?
>
>
>Thanks,
>Viktor
>-----Urspr�ngliche Nachricht-----
>Von: Boyle Owen [mailto:Owen.Boyle@swx.com]
>Gesendet: Donnerstag, 29. August 2002 12:18
>An: users@httpd.apache.org
>Betreff: RE: [users@httpd] Apache Basic Authorization and Java
>
>
>To see why this is happening, you need to understand how authentication
>works. To access the protected directory, all requests need to provide
>the Authorization header containing the username and password. This
>holds whether the request is from a browser or a java client.
>(see
>http://marc.theaimsgroup.com/?l=apache-httpd-users&m=1030448455
>17207&w=2
>)
>
>Presumably your java client is making a request from the server - so it
>has to authenticate itself. You are lucky that the VM class which
>handles the socket recognises the 401 response and prompts you
>- I would
>have expected just an exception...
>
>To allow the java client to authenticate itself without prompting, you
>could build-in the Authorization header in the jave client (you need to
>add the line below to the request header):
>
>Authorization: BASIC <base64-encoded user/pass here>
>
>Rgds,
>
>Owen Boyle
>
>>-----Original Message-----
>>From: Skladovs, Victor [mailto:Skladov@his.de]
>>Sent: Donnerstag, 29. August 2002 12:01
>>To: users@httpd.apache.org
>>Subject: [users@httpd] Apache Basic Authorization and Java
>>
>>
>>Dear Friends!
>>
>>I have a problem with Apache Basic Authorization and Java Plug-In when
>>using the latest version of Netscape and Internet Explorer
>>with Sun java
>>VM.
>>
>>I am not sure of being here right, but all my applies to Sun
>Forums and
>>other related user groups failed :-(((
>>
>>I'll try to explain the situation as clear as possible:
>>I'm using the Basic Authorization Scheme from Apache 1.3.26.
>>After logging in on the Web-server, I try to call my applet which
>>communicates with the application server through servlets (I use
>>Tomcat-4.0.4-LE as a servlet container).
>>When pressing the link from which an applet and a servlet are being
>>called, I get a Log-In Dialog again, but this time - from
>Java Plug-In.
>>although I had been already authenticated myself!
>>
>>I have this problem only with the latest version of Netscape and with
>>all versions of Internet Explorer with SUN VM. When changing to
>>Microsoft VM in IE settings the problem dissappeared. But I'd like to
>>use the VM from SUN ...
>>
>>For the Netscape I haven't found any solution at all. The
>>worst thing is
>>that I can't understand the nature of this "double" (one from Apache,
>>another from Java) authorization... Why doesn't Java know that
>>I've been
>>already authenticated myself? Can I give Java this information at all?
>>
>>I'm using Java 1.4.0_01.
>>
>>Could anybody point me in the right direction?
>>
>>Thanks in advance
>>Viktor
>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP
>>Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server
>Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org