-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alec,
On 6/2/2009 2:03 PM, Alec Swan wrote: > Hassan, I don't think that the goals are contradictory, because each goal > applies to its own group of users: our customer users and everybody else. > Customer users should not have to enter user name and password, but > everybody else should. What authentication mechanism are you using already? FORM? BASIC? With BASIC or DIGEST authentication, it's easy enough to put the credentials into the request that the remote server sends to you. If you're using FORM authentication, it's more complicated because Tomcat's authentication /requires/ request->challenge->credentials->repeat-request. If you use securityfilter (http://securityfilter.sourceforge.net), you can do drive-by logins by just calling j_security_check directly (without an initial request). Another option (which I prefer) is to provide a service that is oriented toward these clients which accepts credentials in a different form. Don't use container-managed security for this service. Instead, accept credentials in some other way. You can accept username and password, or you could even accept a single token which is encrypted using a pre-shared key. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkomh9QACgkQ9CaO5/Lv0PB/wwCfdVDhW0QEwL4psZmLz2ff1JM+ EwQAnjjeCbAPtHbiJBvGJV1HVpwdkl0r =8h+o -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
