-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alec,
On 6/2/2009 6:08 PM, Alec Swan wrote: >> ? You can't put HTTP headers "in" a link, unless you're processing >> it through some proxy mechanism... >> > > Looks like the last SecurityFilter build was released on Dec. 14, > 2004, which makes me hesitant to use it. The servlet specification regarding authentication and authorization hasn't changed in a long time, so newer releases haven't been warranted. The project is definitely active, in spite of a lack of recent releases. > I am wondering if it is possible to use JavaScript to include the > user name and password in the HTTP header when the link is clicked. Yuk. Relying on javascript for security is, IMO, a terrible mistake. > Does this mean that there is no way to authenticate against Tomcat > server unless the server initiated the request itself? No, that means that the client must make a request for a protected resource /before/ the client can provide credentials to the server (i.e. "no drive-by logins"). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkomiUEACgkQ9CaO5/Lv0PAoVgCdHoR8zCu91Bn4prfOhKhs45yx ElMAn2axBAgLGQ9TAKHz29angRfCJje3 =7rCg -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
