----------------------------------------------------------------
BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
WHEN YOU POST, include all relevant version numbers, log files,
and configuration files. Don't make us guess your problem!!!
----------------------------------------------------------------
One solution which works for us is:
1) Switch on authentication in Apache for all the documents _and_ servlets
which you want to protect, which means something like this in your
httpd.conf file:
<LocationMatch "^/(servlet/|your_documents/)">
AuthName "servlet_auth_zone"
AuthType Basic
AuthUserFile "/your_file"
require valid-user
</LocationMatch>
2) When your servlet processes a user request, you are sure that the user
has been authenticated by Apache in the realm "servlet_auth_zone". In your
Java code you can do:
protected void service(HttpServletRequest req, HttpServletResponse
resp)
{
req.getAuthType(); // should return 'Basic'
req.getRemoteUser(); // should return the username which the user
supplied
}
Zdravim/Best regards
Tomas
--
---------------------------------------------- mailto:[EMAIL PROTECTED]
Tomas Hulek
ADIS Project - Application Development Manager
IBM CR, Murmanska 4/1475, Praha 10, 100 00, Czech Republic
tel. +420-2-7213 1412 fax +420-2-7213 1444
Please respond to "Java Apache Users"
<[EMAIL PROTECTED]>
To: "Java Apache Users" <[EMAIL PROTECTED]>
cc: (bcc: Tomas Hulek/Czech Republic/IBM)
Subject: RE: sharing authorization headers
----------------------------------------------------------------
BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
WHEN YOU POST, include all relevant version numbers, log files,
and configuration files. Don't make us guess your problem!!!
----------------------------------------------------------------
Jane,
I played with something similar to this for a few days.
Essentially I was trying to get the standard authentication
system I wrote for my servlets to also (when the user logs in)
authenticate the user for standard htdocs files. I hit
my head off a brick wall for a few days, couldn't find a way
and later decided with others that it couldn't be done. I can't
remember the exact details but I might be able to dig them up. I'll
be intrigued if someone has a solution mind you. I could still
do with it :)
Dave Molloy
PS: Possible solution:
- In your Jserv configuration make all .html handled by a servlet which
either feeds out the page or refuses if authentication fails. This
would certainly work but may put a huge load on your site if your site
has large quantities of static html.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Jane Trois
Sent: Wednesday, September 20, 2000 3:18 PM
To: [EMAIL PROTECTED]
Subject: sharing authorization headers
----------------------------------------------------------------
BEFORE YOU POST, search the faq at <http://java.apache.org/faq/>
WHEN YOU POST, include all relevant version numbers, log files,
and configuration files. Don't make us guess your problem!!!
----------------------------------------------------------------
I have a servlet running with JServ 1.0 on Apache
1.3.12, running on Linux (Redhat 6.0)
I've added some user authentication to the servlet so
that certain HTML forms, which are for admins, are
generated by the servlet and are password protected.
So for example, if a user wanted to see one of these
forms, the servlet first checks if there is an
Authorization header and then based on that either
forces the browser to prompt for a username/password
(dialog box) or goes ahead and displays the form. I
have my own mechanism for authenticating users in the
servlet.
There some links to images within these HTML forms
which are served through Apache (not the servlet), and
are protected using Apache security... but using the
same usernames and passwords as for the HTML forms.
The idea is to have it appear like (at least to the
end user) both the servlet and Apache are using the
same usernames and passwords with a single login. The
problem is, it looks like the Authorization header
does not get passed in with the Apache GET requests.
So after the user logs in through my servlet, s/he
will have to log in again for the first file GET on
Apache, which everyone around me seems to agree is
really ugly user-interface-wise!
Is there anyway to avoid this? Can I somehow share
Authorization headers between Apache and my servlet,
or at least let Apache be able to see all
Authorization headers from my servlet (even visa versa
would be helpful)? Ideas for workarounds would be
helpful.
Thanks!
Jane
--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search Archives:
<http://www.mail-archive.com/java-apache-users%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
