tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jess Holle <>
Subject Form based + Basic Authentication
Date Sun, 16 Oct 2005 14:53:16 GMT
Does anyone have any pointers as to how one can achieve form-based 
authentication with an "out" for basic authentication?

Essentially given programmatic clients that expect a protocol level 
authentication mechanism like HTTP Basic and human clients that are more 
comfortable with form based authentication, the desire would be to have 
each URL do form based authentication except where the user-agent or 
headers suggest thatt basic authentication is more appropriate.  After 
initial login cookie-based behavior is acceptable in either case.  What 
is not realistic, however, is to expect every programmatic client to 
know about form based login, which is, after all, an ad hoc 
application-level convention (albeit formalized in the servlet spec) 
rather than a protocol-handler-level standard.

What I'm looking for is pointers to do this in a way that will be 
portable across all servlet 2.4 and higher servlet engines.

Somewhat separately we may end up with our own custom realm (or 
realm-like object) at least in cases where we can get a hold of this 
layer as only being able to check a single LDAP is not a realistic 
constraint these days.  [Tomcat's JNDI realm allow you to provide an 
alternate URL when the first URL is unreachable, but what's needed is a 
list of URLs where the first containing data for a given user id wins.  
One could/should constrain the URLs to not contain overlapping user id 
sets, of course.]

Jess Holle

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message