tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jess Holle <>
Subject Re: Form based + Basic Authentication
Date Sun, 16 Oct 2005 14:58:00 GMT
P.S. If none of this is possible in any quasi-portable manner, I'd still 
be interested in how to do it just for Tomcat 5.5.x.

Jess Holle wrote:

> Does anyone have any pointers as to how one can achieve form-based 
> authentication with an "out" for basic authentication?
> Essentially given programmatic clients that expect a protocol level 
> authentication mechanism like HTTP Basic and human clients that are 
> more comfortable with form based authentication, the desire would be 
> to have each URL do form based authentication except where the 
> user-agent or headers suggest thatt basic authentication is more 
> appropriate.  After initial login cookie-based behavior is acceptable 
> in either case.  What is not realistic, however, is to expect every 
> programmatic client to know about form based login, which is, after 
> all, an ad hoc application-level convention (albeit formalized in the 
> servlet spec) rather than a protocol-handler-level standard.
> What I'm looking for is pointers to do this in a way that will be 
> portable across all servlet 2.4 and higher servlet engines.
> Somewhat separately we may end up with our own custom realm (or 
> realm-like object) at least in cases where we can get a hold of this 
> layer as only being able to check a single LDAP is not a realistic 
> constraint these days.  [Tomcat's JNDI realm allow you to provide an 
> alternate URL when the first URL is unreachable, but what's needed is 
> a list of URLs where the first containing data for a given user id 
> wins.  One could/should constrain the URLs to not contain overlapping 
> user id sets, of course.]
> -- 
> Jess Holle

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message