On Wed, 6 Mar 2002, Mark Shaw wrote:
> Date: Wed, 6 Mar 2002 22:37:17 -0800
> From: Mark Shaw <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Subject: BASIC Authentication Question
>
> I'm hoping someone can shed some light on a particular behavior I'm
> experiencing with BASIC authentication and session cookies:
>
> I've set up my servlet to use BASIC authentication and I'm my own very
> simple realm implementation:
> protected String getPassword(String username) { return "tomcat"; }
> protected Principal getPrincipal(String username) {
> List roles = new ArrayList();
> roles.add("test");
> return new GenericPrincipal(this, "tomcat", "tomcat", roles);
> }
>
> I have a Java client that connects to my servlet via a URL connection,
> identical to the code in org.apache.catalina.ant.AbstractCatalinaTask,
> passing in "tomcat" for user and password in the first request which works
> great!
One of the best aspects of open source ... you can see what worked for
somebody else :-).
> In subsequent requests I pass back the sessionID (in a cookie
> labeled "jsessionid"...) instead of the BASIC authentication, but my request
> fails ["This request requires HTTP authentication (Unauthorized)"] although
> my session ID is recognized by the servlet. I figured my initial
> authentication was cached so that I only needed to send the session ID and
> not pass the authentication string in the header each time - this seems to
> be the behavior of the Manager App when I dump its Request/Response headers.
> Any ideas how I can accomplish this from a Java client: only sending
> authentication once, then using the session ID cookie from then on? What's
> even stranger is that if I pass both the BASIC authentication header and my
> session ID every time it works great and my session is recognized, but my
> realm methods (see above) are never called, so the authentication must be
> stashed somewhere?
>
When you use BASIC authentication, Tomcat 4 currently expects that you
will include the "Authorization" header on every request, even though it
does cache the authenticated Principal when you are in a session.
Looking at the specs (http://www.ietf.org/rfc/rfc2617.txt>, it is not
stated that this is required, so this behavior could probably be relaxed
(when within a session) without ill effects.
One possibly negative side effect would be the case where the server's
user database changes the password for this username (or removes it
entirely) -- the previous authentication would still work for the duration
of the current session. That's what happens already with form-based
login, so it's probably ok.
Could you please post this as an enhancement request to our bug tracking
system (http://nagoya.apache.org/bugzilla) to make sure it does not get
lost?
> Thanks for any help,
> -Mark
>
Craig
PS: Has anyone had any success trying to force a logout (and subsequent
re-authentication) of a BASIC authentication when the current session is
invalidated or times out, without requiring that the user close down and
restart the browser? It would be very useful in Servlet 2.4 to know
whether or not this is techically feasible -- if it is, we can think about
mandating it as standard behavior so that applications do not have to care
which login method is being used.
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
