Re: running auth-methods DIGEST + BASIC in parallel

Mon, 24 Sep 2012 11:00:34 -0700 

Am 24.09.12 18:51, schrieb Christopher Schultz:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Manuel,

On 9/24/12 7:55 AM, manuel aldana wrote:

Is there a way to support both DIGEST and BASIC in one servlet
container (we use tomcat 6.0.35)? We want to support BASIC over SSL
but we need to keep running DIGEST for down-compatibility reasons
with api-clients.

As I see in web.xml config, there is only one entry possible for
<auth-method>: === <login-config>
<auth-method>DIGEST</auth-method>
<realm-name>my-realm</realm-name> </login-config>

So it looks to me that I need to write some custom hooks/Filters in
my webapp (to check DIGEST first + fallback on BASIC). Can somebody
point me to the right hooks?

I think you have two choices:

1. Use two different webapps (Tomcat certainly will allow different
authentication mechanisms within the container... just not in the same
context/webapp)
I also thought of that but it is not an option for us, as this will complicate our deployment and build-pipeline. 



2. Write a custom Authenticator Valve

If you want to use Tomcat's container-managed authentication, then you
cannot do this with Filters, so it's going to be a Tomcat-specific
solution.

If you are going to roll your own authentication solution yourself,
you might want to consider using code from SecurityFilter
(http://securityfilter.sourceforge.net/).
Thanks I will have a look. As I use spring another alternative is to skip the servlet specification digest/basic auth, but refer to spring security. With spring it possible to hook into Filters and create support for both auth-schemes. 



I'm curious how you will "check DIGEST first" and then apply BASIC.
Are you expecting some clients to simply send DIGEST credentials
without first contacting the server? I don't think that's possible.

I simplify the solution:
- server will NEVER send Basic auth-challenge, only Digest (in case no Basic or Digest challenge response is sent from client) - if client wants to use Basic it will need to send Basic Challenge response preemtively (which is trivial as no nonce is involved) - In the end Digest is fallback in case no Basic auth challenge response is sent 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to