OK. So let me see if I understand what you’re suggesting: I already have client and server communicating with each other by sending XML requests via Jersey with a servlet implemented in web.xml.
So in addition to this, I would need a filter set to intercept request with a url pattern /rest/*. This filter can then call HttpServletRequest.login? -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 18 Jul 2013 15 39 To: Tomcat Users List Subject: Re: Authentication from a REST service -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Martin, On 7/18/13 10:32 AM, Martin O'Shea wrote: > It's a case of considering options at the moment. It doesn't matter > too much about the actual expiration time of the session. But a > question arises concerning use of a realm: if I have the following > code in a realm in context.xml for existing browser-based logging > in: > > <Realm className = "org.apache.catalina.realm.DataSourceRealm" > digest="MD5" FWIW, MD5 is basically deprecated at this point. I would use at least SHA-256 for password-hashing. Honestly, I'd use a password-mangling algorithm and not a straight-up hash (like bcrypt, scrypt, PBKDF2, etc.). (I've been toying-around with modifications to Tomcat's Realms and underlying code to help support such things, but I haven't come up with a good patch, yet). > debug = "99" This should be removed: it must have come from an old configuration. > dataSourceName = "jdbc/MyApp" localDataSource = "true" userTable = > "User" userNameCol = "UserName" userCredCol = "Password" > userRoleTable = "User" roleNameCol = "RoleName" /> > > Could it be used also for the REST service? You can use it for anything you'd like. > And would a servlet be required to handle authentication? No, you can use a Filter. I'm not sure how Jersey is implemented, but I suspect that you configured either a Servlet or a Filter at some point in WEB-INF/web.xml. Just make sure that your own Filter performs whatever is necessary to authenticate (e.g. calling HttpServletRequest.login) and then sets-up the request so that Jersey knows that the user has been successfully authenticated (it probably just checks ServletRequest.getPrincipal, which will be set up correctly after a successful call to HttpServletRequest.login). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJR5/4EAAoJEBzwKT+lPKRYvWoQALyBVTxUYWCvLCqBPdG5jTsZ B+KnQVuqA3NBVLOgTmxH8UDZjeOgbACsdt+F/VUNL5Fdek4U0kF0GSQgOI18t9Tn Fp76pNd8AWshkLp49YWmpsbuHDSUZtVruISWlVMlD1D/e7doK6r6HjXeuv7NA+5X ni5j2ZaaWJ/blpB3gGymnQsNz+L2JNjCrqrxuty6Og0D7BeHJojSVTnJRdAvCDjo PGtoXTGbJmPNJLfwzgwlbqe1BN0ynZlDPnuqLbxmA1qXH8mlY8Iecegy3AbgQODn fRixy5rrMf7c3nafivGzEYYsttIJTAT9mb9/6GnmmcCDZ9lhoP34QJutEacAvNw/ 126yaXy6z2ix6d3ARq7bVFRbaXv8fUHMBZws0y3PAdgwBhbGPw1ReALeyL1qsQ3s 3Ahoi1jToceglgTVxAghmQ0241f62kVqv32LKQ3GaMp31AxLe7QYz0IXFeb8DGWL XnAd42JNipbRnB7Jzsm7XMrsDJp1+XnvToMMeXoiXE0PkpJAX1lpLMJd88hT6Diw neTDLIXY6hgyXCn/qBQiZTH8a8MB9n7efU1mevnL532QYsfvJaLzyRjQ+naoeT99 PALvtnewBY2sKN8GE0MYR0lvXt1eUiqSL6tcDh4xxvr6w4sZNDQfNLN1X2zirOKw o7zzBwgHpk4/Ec8raBXT =i5Uc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
