tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rseque...@transentric.com
Subject Authentication (design) question
Date Thu, 18 Apr 2002 13:09:59 GMT

This should probably be asked in a design/development user list. But I'm
taking my chances. Flames - please direct to my email id rather than the
user list :-)
Well anyway.....
I have an application that is protected by Basic authentication. Well it's
an external module plugged into Apache. So when a user tries to log into a
secure directory, Apache (with the help of the external auth module) sends
a 401error back to the browser. The user enters the userid:pwd and
everything's works great.
Now the question: Suppose I display a login page (non-secure area) with a
form (userid, pwd textfields) to the user. The user enters the user id and
password and submits the page to a jsp, probably (or a servlet). I'd then
set an Authorization header in the jsp (servlet) and forward (or include -
wonder which would be appropriate) the request to the corresponding page in
the secure area. So far everything looks do-able. The secure page does it's
thing and sends back a response to the user. But I was wondering if the
user then tries to click on a link in the output which calls another page
in the secure area, will the browser pass the authentication headers (I
guess not). If it does not then Apache would probably send a 401 back. I
was hoping to eliminate the jsp (or servlet) that does the initial
authentication for future requests. I think I'm talking about a Controller
jsp (servlet) kind of deal here. But I want the controller only for login
purposes. Don't you think calling every request through the Control
ler servlet would be a trade-off with respect to performance? If not
performance isn't an issues then the jsp (or servlet) should be able to
call any page (jsp, html, servlet, coldfusion page, etc). Also the
controller jsp (servlet) would need to intercept a 401 error if the user
send an invalid userid/pwd and redisplay the login form page.
Your ideas, comments, code would be appreciated.

Thanks
RS



--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message