tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Authentication from the browser
Date Wed, 03 Jun 2009 14:25:24 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alec,

On 6/2/2009 2:03 PM, Alec Swan wrote:
> Hassan, I don't think that the goals are contradictory, because each goal
> applies to its own group of users: our customer users and everybody else.
> Customer users should not have to enter user name and password, but
> everybody else should.

What authentication mechanism are you using already? FORM? BASIC?

With BASIC or DIGEST authentication, it's easy enough to put the
credentials into the request that the remote server sends to you.

If you're using FORM authentication, it's more complicated because
Tomcat's authentication /requires/
request->challenge->credentials->repeat-request. If you use
securityfilter (http://securityfilter.sourceforge.net), you can do
drive-by logins by just calling j_security_check directly (without an
initial request).

Another option (which I prefer) is to provide a service that is oriented
toward these clients which accepts credentials in a different form.
Don't use container-managed security for this service. Instead, accept
credentials in some other way. You can accept username and password, or
you could even accept a single token which is encrypted using a
pre-shared key.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkomh9QACgkQ9CaO5/Lv0PB/wwCfdVDhW0QEwL4psZmLz2ff1JM+
EwQAnjjeCbAPtHbiJBvGJV1HVpwdkl0r
=8h+o
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message