tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Arcand <jfarc...@apache.org>
Subject Re: Basic and Form authhentication in the same webapp (revisited). Request for opinions
Date Mon, 03 Nov 2003 15:37:19 GMT


Vincent Aumont wrote:

> Hello,
>
> I need your opinion on a solution I found to allow a single webapp to 
> support two authentication modes.
>
> The application Im working on has two types of clients: HTML and WML. 
> The controller (Struts) can forward a request to the appropriate JSP, 
> depending on the clients type.
> WML clients (PDAs) are limited to Basic authentication; I want to use 
> FORM authentication for HTML clients. Because the Servlet 2.3 specs do 
> not allow to specify more than one authentication mode in web.xml, I 
> have to use 2 webapps if I want to stay compliant.
> Last week I posted a solution to work around this, only to realize 
> that it does not work.
>
> I found this other solution:
>
> 1) I declare the security constraints in web.xml as usual. I set the 
> authentication mode to FORM.
> 2) I have two custom classes: MyBasicAuthenticator and 
> MyFormAuthenticator that inherit from BasicAuthenticator and 
> FormAuthenticator, respectively.
> 3) By nature, these two classes also implement the Valve interface. I 
> register them in my webapps context (in web.xml):
>
> <Context path="/test" docBase="/home/test">
> <Valve className="PortalBasicAuthenticator"/>
> <Valve className="PortalFormAuthentication"/>
> </Context>
>
> 4) These classes do nothing but invoke their super class it the client 
> has the appropriate type:
>
> public class MyBasicAuthenticator{
>
> public void invoke(Request request, Response response,
> ValveContext context)
> throws IOException, ServletException
> {
> if (isWMLClient(request)) {
> super.invoke(&);
> } else {
> context.invokeNext(request, response);
> }
> }
>
> public class MyFormAuthenticator{
>
> public void invoke(Request request, Response response,
> ValveContext context)
> throws IOException, ServletException
> {
> if (isHTMLClient(request)) {
> super.invoke(&);
> } else {
> context.invokeNext(request, response);
> }
> }
>
> Here is how it works:
> - Setting the security constraints in web.xml will cause Tomact to add 
> a FormAuthenticator valve in the pipeline.
> - TC will never execute that particular valve because the two valves I 
> have added to my context will be executed first and will take care of 
> authentication.
> - When a WML client makes a request, MyBasicAuthenticator traps it and 
> executes Tomcat's BasicAuthenticatot code. Because I defined the 
> security constraints in web.xml, the authenticator receives the right 
> login info (protected urls, roles, etc.). If the user enters valid 
> credentials, the form authenticator tomcat created wont be called 
> because we already have a Principal. If the user provides invalid 
> credentials, the user gets an error and the pipeline is interrupted. 
> Therefore, the form authenticator Tomcat created wont be called either.
> - Same thing for a request from an HTML client: MyFormAuthenticator 
> will traps the request and take care of the authentication.
>
> I tried it and it seems to work fine.
>
> Can you think of any gotchas? Am I missing something obvious? Is there 
> a simpler solution? 


How do you manage the case when someone else deploy a web app that 
requires basic authentication using the browser? If Tomcat is used only 
by your app, then your solution seems correct.

-- Jeanfrancois



>
>
> Thanks,
>
> -Vincent.
>
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message