Hi, - "basic" or "digest" authorization is HTTP-based authorazition. It's situation when browser pops up a dialog box for user to enter username and password for that domain. Server checks wheater authorization data (it's word "basic" followed by base64 encoded string (username:password)) are in request header which is sent by browser and if this is the case (and user:pass pair is correct) page is returned. If not server returns 401 (Unauthorized) page and following line in header WWW-Authenticate: BASIC realm="protected-domain" which force the browser to pop up the dialog. It is not a big protection but better then none. This basic authentication is in Web server domain. You can control this behavior from your servlet (or similair):
String authorization = request.getHeader("Authorization"); if (authorization == null) { response.setStatus(response.SC_UNAUTHORIZED); response.setHeader("WWW-Authenticate", "BASIC realm=\"protected-domain\""); } else { // check username and password // if wrong response.setStatus(response.SC_UNAUTHORIZED); response.setHeader("WWW-Authenticate", "BASIC realm=\"protected-domain\""); // else do what you want to do } //THIS IS JUST A DEMO CODE - form-based authorization is situation where server initiates session with browser by sending him a cookie with a sessionid and later can check if the user is logged in (s/he is if has a cookie). Hope I helped, Dejan > Pardon my ignorance please but what is basic authentication and > form-based authentication? You were talking about sessions and URL > rewriting and I thought I knew all about that. What is the auth header > from the browser? Is this container managed ? > > Thanks > Adam > > Struts Newsgroup (@Basebeans.com) wrote: > > >This is probably a problem of lost session, either by the browser not > >sending the session cookie back or while using url rewriting and not > >properly wrapping an url sent back to the browser. > > > >Remember that when using basic authentication, the auth header is sent > >by the browser at every request, so it never looses the session. Using > >form based authentication requires the session to be intact, since you > >only authenticate once. > > > > > > > > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>