Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@www.apache.org Received: (qmail 54580 invoked from network); 3 Nov 2003 15:37:43 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 3 Nov 2003 15:37:43 -0000 Received: (qmail 38059 invoked by uid 500); 3 Nov 2003 15:37:19 -0000 Delivered-To: apmail-jakarta-tomcat-user-archive@jakarta.apache.org Received: (qmail 37836 invoked by uid 500); 3 Nov 2003 15:37:17 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 37823 invoked from network); 3 Nov 2003 15:37:17 -0000 Received: from unknown (HELO nwkea-mail-1.sun.com) (192.18.42.13) by daedalus.apache.org with SMTP; 3 Nov 2003 15:37:17 -0000 Received: from phys-d3-ha21sca-1 ([129.145.155.163]) by nwkea-mail-1.sun.com (8.12.10/8.12.9) with ESMTP id hA3FbKUP014226 for ; Mon, 3 Nov 2003 07:37:20 -0800 (PST) Received: from apache.org (vpn-129-152-201-134.East.Sun.COM [129.152.201.134]) by ha21sca-mail1.sfbay.sun.com (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HNS009KY8Q73K@ha21sca-mail1.sfbay.sun.com> for tomcat-user@jakarta.apache.org; Mon, 03 Nov 2003 07:37:19 -0800 (PST) Date: Mon, 03 Nov 2003 10:37:19 -0500 From: Jean-Francois Arcand Subject: Re: Basic and Form authhentication in the same webapp (revisited). Request for opinions In-reply-to: <3FA5E970.4010505@vsl.ca> To: Tomcat Users List Message-id: <3FA6762F.8030309@apache.org> MIME-version: 1.0 Content-type: text/plain; format=flowed; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en-us, en User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030312 References: <200311022104430763.00706AA5@smtp.adsl.ya.com> <200311022227430564.00BC66FE@smtp.adsl.ya.com> <3FA5E970.4010505@vsl.ca> X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Vincent Aumont wrote: > Hello, > > I need your opinion on a solution I found to allow a single webapp to > support two authentication modes. > > The application Im working on has two types of clients: HTML and WML. > The controller (Struts) can forward a request to the appropriate JSP, > depending on the clients type. > WML clients (PDAs) are limited to Basic authentication; I want to use > FORM authentication for HTML clients. Because the Servlet 2.3 specs do > not allow to specify more than one authentication mode in web.xml, I > have to use 2 webapps if I want to stay compliant. > Last week I posted a solution to work around this, only to realize > that it does not work. > > I found this other solution: > > 1) I declare the security constraints in web.xml as usual. I set the > authentication mode to FORM. > 2) I have two custom classes: MyBasicAuthenticator and > MyFormAuthenticator that inherit from BasicAuthenticator and > FormAuthenticator, respectively. > 3) By nature, these two classes also implement the Valve interface. I > register them in my webapps context (in web.xml): > > > > > > > 4) These classes do nothing but invoke their super class it the client > has the appropriate type: > > public class MyBasicAuthenticator{ > > public void invoke(Request request, Response response, > ValveContext context) > throws IOException, ServletException > { > if (isWMLClient(request)) { > super.invoke(&); > } else { > context.invokeNext(request, response); > } > } > > public class MyFormAuthenticator{ > > public void invoke(Request request, Response response, > ValveContext context) > throws IOException, ServletException > { > if (isHTMLClient(request)) { > super.invoke(&); > } else { > context.invokeNext(request, response); > } > } > > Here is how it works: > - Setting the security constraints in web.xml will cause Tomact to add > a FormAuthenticator valve in the pipeline. > - TC will never execute that particular valve because the two valves I > have added to my context will be executed first and will take care of > authentication. > - When a WML client makes a request, MyBasicAuthenticator traps it and > executes Tomcat's BasicAuthenticatot code. Because I defined the > security constraints in web.xml, the authenticator receives the right > login info (protected urls, roles, etc.). If the user enters valid > credentials, the form authenticator tomcat created wont be called > because we already have a Principal. If the user provides invalid > credentials, the user gets an error and the pipeline is interrupted. > Therefore, the form authenticator Tomcat created wont be called either. > - Same thing for a request from an HTML client: MyFormAuthenticator > will traps the request and take care of the authentication. > > I tried it and it seems to work fine. > > Can you think of any gotchas? Am I missing something obvious? Is there > a simpler solution? How do you manage the case when someone else deploy a web app that requires basic authentication using the browser? If Tomcat is used only by your app, then your solution seems correct. -- Jeanfrancois > > > Thanks, > > -Vincent. > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org