tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matthew Mauriello" <mm578...@albany.edu>
Subject Re: Question about BASIC Authentication
Date Thu, 01 Jul 2010 00:20:59 GMT
Christopher,

The behavior seems rather strange to me in fact, I've seen other websites
run on what looks to be BASIC Authentication without popping these browser
messages when leaving secured sections.

See the http://user:password@website.com/SOLR is only used once and it
might actually be http://user:password@website.com/SOLR/ I have to look
into this.

I feel like the authentication cookie is being created for the user and
then being forwarded to every page the user visits after that.

I am hoping to find some way of preventing this behavior.

~Matt

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Matthew,
>
> On 6/30/2010 12:07 AM, Matthew Mauriello wrote:
>> I have two directories in 'webapps' other than ROOT. ROOT redirects
>> users
>> to webappA. WebappA does not use tomcat's basic authentication but if
>> you
>> log into the application there are links inside it that sends the user
>> to
>> the SOLR webapp via http://user:password@website.com/SOLR.
>
> Ok.
>
>> SOLR uses basic authentication. The problem is once the browser logs
>> into
>> SOLR the error message pops up when navigating back to WebappA.
>
> Where is webappA deployed? /webappA? Generally, when the server requests
> BASIC authentication, the client will then provide credentials to the
> server for the original URL plus any URLs that are "under" it. I wonder
> if you used "http://user:password@website.com/SOLR/" (note the trailing
> slash) if you might avoid this behavior. I think the browser sees
> http://user:password@website.com/SOLR, removes the SOLR from the end
> (because it thinks that's the name of the resource), and then anything
> starting with http://website.com/ will then get the HTTP AUTH headers.
>
>> I understand this isn't the greatest setup but other than the constant
>> pop
>> up message after logging into SOLR it meets the needs of the very few
>> users on the website.
>
> It's odd that your web browser complains about this... it implies that
> the browser pre-fetches the URL /without/ the authentication header,
> just to see if the server replies with a request-for-authentication
> header. That's actually kind of a nice security feature.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkwrUfoACgkQ9CaO5/Lv0PAETACeONnx4nYQFXLwud13KCb9Nu0Z
> GkkAnj28Iz5yxZaZzJGOi7sZThMcZY62
> =50Ze
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message