-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Manuel,
On 9/24/12 2:00 PM, manuel aldana wrote: > Am 24.09.12 18:51, schrieb Christopher Schultz: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> Manuel, >> >> 2. Write a custom Authenticator Valve >> >> If you want to use Tomcat's container-managed authentication, >> then you cannot do this with Filters, so it's going to be a >> Tomcat-specific solution. >> >> If you are going to roll your own authentication solution >> yourself, you might want to consider using code from >> SecurityFilter (http://securityfilter.sourceforge.net/). > > Thanks I will have a look. As I use spring another alternative is > to skip the servlet specification digest/basic auth, but refer to > spring security. With spring it possible to hook into Filters and > create support for both auth-schemes. Spring is definitely the way to go, here. >> I'm curious how you will "check DIGEST first" and then apply >> BASIC. Are you expecting some clients to simply send DIGEST >> credentials without first contacting the server? I don't think >> that's possible. > I simplify the solution: - server will NEVER send Basic > auth-challenge, only Digest (in case no Basic or Digest challenge > response is sent from client) That ought to work. > - if client wants to use Basic it will need to send Basic > Challenge response preemtively (which is trivial as no nonce is > involved) +1 > - In the end Digest is fallback in case no Basic auth challenge > response is sent This definitely sounds doable. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBgqjoACgkQ9CaO5/Lv0PDdxgCeLmL7wf5YAx5qgVWBL2i8oxWX NmgAoLqng0zPzmIWMBKvNBnPng7L51H9 =eETg -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org