-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Manuel,
On 9/24/12 7:55 AM, manuel aldana wrote: > Is there a way to support both DIGEST and BASIC in one servlet > container (we use tomcat 6.0.35)? We want to support BASIC over SSL > but we need to keep running DIGEST for down-compatibility reasons > with api-clients. > > As I see in web.xml config, there is only one entry possible for > <auth-method>: === <login-config> > <auth-method>DIGEST</auth-method> > <realm-name>my-realm</realm-name> </login-config> > > So it looks to me that I need to write some custom hooks/Filters in > my webapp (to check DIGEST first + fallback on BASIC). Can somebody > point me to the right hooks? I think you have two choices: 1. Use two different webapps (Tomcat certainly will allow different authentication mechanisms within the container... just not in the same context/webapp) 2. Write a custom Authenticator Valve If you want to use Tomcat's container-managed authentication, then you cannot do this with Filters, so it's going to be a Tomcat-specific solution. If you are going to roll your own authentication solution yourself, you might want to consider using code from SecurityFilter (http://securityfilter.sourceforge.net/). I'm curious how you will "check DIGEST first" and then apply BASIC. Are you expecting some clients to simply send DIGEST credentials without first contacting the server? I don't think that's possible. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBgj5MACgkQ9CaO5/Lv0PDVwQCcC3ZinK2zHHk+fRxfqjfcYqx4 CGsAn1vL2w+RcYVrsh540++No4Zc0oDg =hsW1 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
