Hi all, I've got a question regarding authentication. I wish to do authentication without authorisation. So this means everybody should be free to access my web-resource but I wish to know who it is. Therefore the accessing user must login. As probably everybody knows here I can configure that by means of a security-constraint/login-config in my web.xml file. Here is a little example: <security-constraint> <web-resource-collection> <web-resource-name>Protect the Helloworld example</web-resource-name> <description/> <url-pattern>/servlet/HelloWorldExample</url-pattern> <url-pattern>/servlet/SessionExample</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>public</realm-name> </login-config>
Please remark that no auth-constraint is defined, because anybody should have free access to this web-resource. So what I need is authentication without authorisation. The problem is that only if I define some auth-constraint in the security-constraint the authenticate method of the Authenticator will be invoked. I think that the J2EE Standard makes no restriction that authentication can only be used in combination with authorisation. Am I wrong? Or is this a Tomcat bug? Cheers Karin --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]