Mark,
On 10/5/21 04:46, Mark Thomas wrote:
On 05/10/2021 03:40, Jerry Malcolm wrote:
An earlier post suggested I just implement a CredentialHandler, which
would be great. But it looked like the credential handler is given
"id/pw" extracted from the base64. Or will it actually return
whatever it finds in the base64 token? "A:B:C:D:E:F" instead of "id:pw"?
CredentialHandler only gets passed the password.
Yes, but if the (base64-decoded) token from the user looks like:
username:a:b:c:d:e
Then the credential handler will get "a:b:c:d:e" as the "password".
I realize that renaming the header prefix to "Malcolm" or whatever
would be more architecturally pure. But how much more code is
involved to get the same result if my authorization header prefix is
now "Malcolm" instead of "Basic"?
Probably not that much. Looking at Tomcat's BasicAuthenticator you'd
have to override most of it to do this anyway so I'd probably copy it as
the starting point and then edit it.
+1
-chris
On 10/4/2021 8:49 AM, Christopher Schultz wrote:
Michael,
On 10/3/21 11:58, Michael Osipov wrote:
Am 2021-10-02 um 02:48 schrieb Jerry Malcolm:
I need to write a custom BasicAuthenticator class to decode a
specialized encoding of the authToken. I have been scouring google
for info. I found one post where the answer included the statement:
This would clearly violate Basic auth scheme and the according RFC.
I highly recommend against. Don't abuse Basic. Create your own
scheme/header and solve your problem with it.
This is a very good point.
Instead of:
Authorization: Basic [base64stuff]
Using "Bearer" might be a better choice, though that is also covered
by a specific RFC and might be confusing to overload that token
("Bearer") for another purpose.
You could just do:
Authorization: Malcolms [token]
If you are going to write a custom authenticator, anyway. You'll need
to have a custom client, of course, but you will already have that
kind of thing because no standard HTTP client would format your
authentication tokens in this way.
Another dumb question: why use your own custom stuff instead of the
standard(s)?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
