Hi,
- "basic" or "digest" authorization is HTTP-based authorazition. It's
situation when browser pops up a dialog box for user to enter username and
password for that domain. Server checks wheater authorization data (it's
word "basic" followed by base64 encoded string (username:password)) are in
request header which is sent by browser and if this is the case (and
user:pass pair is correct) page is returned. If not server returns 401
(Unauthorized) page and following line in header WWW-Authenticate: BASIC
realm="protected-domain" which force the browser to pop up the dialog. It is
not a big protection but better then none. This basic authentication is in
Web server domain. You can control this behavior from your servlet (or
similair):
String authorization = request.getHeader("Authorization");
if (authorization == null) {
response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "BASIC
realm=\"protected-domain\"");
} else {
// check username and password
// if wrong
response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "BASIC
realm=\"protected-domain\"");
// else do what you want to do
}
//THIS IS JUST A DEMO CODE
- form-based authorization is situation where server initiates session with
browser by sending him a cookie with a sessionid and later can check if the
user is logged in (s/he is if has a cookie).
Hope I helped,
Dejan
> Pardon my ignorance please but what is basic authentication and
> form-based authentication? You were talking about sessions and URL
> rewriting and I thought I knew all about that. What is the auth header
> from the browser? Is this container managed ?
>
> Thanks
> Adam
>
> Struts Newsgroup (@Basebeans.com) wrote:
>
> >This is probably a problem of lost session, either by the browser not
> >sending the session cookie back or while using url rewriting and not
> >properly wrapping an url sent back to the browser.
> >
> >Remember that when using basic authentication, the auth header is sent
> >by the browser at every request, so it never looses the session. Using
> >form based authentication requires the session to be intact, since you
> >only authenticate once.
> >
> >
> >
> >
>
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
