This kind of question is better addressed to the TOMCAT-USER list, since it's about how to *use* Tomcat instead of how to *develop* Tomcat.
On Thu, 14 Mar 2002, Zhidong Yu wrote: > Date: Thu, 14 Mar 2002 20:04:59 -0800 > From: Zhidong Yu <[EMAIL PROTECTED]> > Reply-To: Tomcat Developers List <[EMAIL PROTECTED]> > To: Tomcat Developers List <[EMAIL PROTECTED]> > Subject: Can I do HTTP authenticaton in my servlet? > > I am using Tomcat as the servlet container. What I want to do is write a > servlet which do HTTP authentication without Tomcat's interacting. Is it > possible? > > In detail, to enable HTTP authentication (basic realm), you should > configure the web.xml in your webapp, and configure the > username/password/roll in %TOMCAT_HOME%/conf/tomcat-user.xml. But I want > to use my ACL in my servlet, so I would process any of user requests > myself, and determine whether it need authentication, then return a > challenge response to client, and so on. > > A typical scenario is: > > client: send a GET /myapp/abc.xml HTTP/1.1 , here myapp is my webapp, > and abc.xml is retrieved by servlet from some data source where > authentication is needed. > servlet: find no Authorization header is available, so return a HTTP 401 > response to challenge client for username/password > client: send the GET request again with Authorization header > servlet: try to access the data source, but the username/password have > no right to access the abc.xml. so it return a HTTP 401 again > client: send the GET with correct username/password > servlet: get the abc.xml and return to client. > With Tomcat 4, you can easily do all of the above with a Servlet, but you can also use a Filter, and not even have to mess with the application itself. Take a look at how Tomcat's Authenticator valves work (package org.apache.catalina.authenticator) for ideas about how to do the HTTP interactions. Of course, the only thing on your list that is non-standard is the idea of challenging the user for a different set of credentials if they don't have the right ones for a particular resource. That kind of goes against the grain of what container managed security is all about (authentication and access control are two discrete concepts), but it should be possible to make it work. You will, of course, need to avoid setting up any <security-constraint> elements in your web.xml file -- that will keep Tomcat's security software completely out of your way. > --zhidong > Craig -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
