tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Authentication from the browser
Date Wed, 03 Jun 2009 14:31:29 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alec,

On 6/2/2009 6:08 PM, Alec Swan wrote:
>> ? You can't put HTTP headers "in" a link, unless you're processing 
>> it through some proxy mechanism...
>> 
> 
> Looks like the last SecurityFilter build was released on Dec. 14,
> 2004, which makes me hesitant to use it.

The servlet specification regarding authentication and authorization
hasn't changed in a long time, so newer releases haven't been warranted.

The project is definitely active, in spite of a lack of recent releases.

> I am wondering if it is possible to use JavaScript to include the
> user name and password in the HTTP header when the link is clicked.

Yuk. Relying on javascript for security is, IMO, a terrible mistake.

> Does this mean that there is no way to authenticate against Tomcat
> server unless the server initiated the request itself?

No, that means that the client must make a request for a protected
resource /before/ the client can provide credentials to the server (i.e.
"no drive-by logins").

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkomiUEACgkQ9CaO5/Lv0PAoVgCdHoR8zCu91Bn4prfOhKhs45yx
ElMAn2axBAgLGQ9TAKHz29angRfCJje3
=7rCg
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message