On 01/10/2016 18:50, Johannes Michler wrote:
> Hi,
>
> for our own web-application we overwrite the standard way of how Tomcat
> BasicAuthenticator is working in order to avoid the popup of a
> "Basic-Auth-Dialog" in some situations (where we're calling a service
> provided by the tomcat over a script). Therefore our context.xml in the
> app looks as follows:
>
> <Context cookies="false">
> <Valve
> className="biz.horus.database.server.servletscript.HorusTomcatBasicAuthenticator"
> />
> </Context>
>
> HorusTomcatBasicAuthenticator is implemented as follows:
> public class HorusTomcatBasicAuthenticator extends BasicAuthenticator
> implements Authenticator {
>
> @Override
> public boolean authenticate( Request request, HttpServletResponse
> response) throws IOException {
> System.out.println( "XXXX start out");
> boolean result = super.authenticate( request, response);
> System.out.println( "XXXX authenticate: " + result);
> modifyResponse( request, response);
> return result;
> }
> private void modifyResponse( Request request, HttpServletResponse
> response) {
> String url = request.getPathInfo();
> System.out.println( "XX URL=" + url);
> System.out.println( "XX Auth Header:" + response.getHeader(
> AUTH_HEADER_NAME));
> if ( response.getHeader( AUTH_HEADER_NAME) != null &&
> url.startsWith( "/rest"))
> response.setHeader( AUTH_HEADER_NAME, "HCP_BASIC");
> }
>
> }
>
>
> This is working great with Tomcat 8.0(.37). Though with Tomcat 8.5.5
> that code in "authenticate" is no longer called. Instead it seams that
> the "standard" BasicAuthenticator is being used.
>
> However if I entirely remove my jar-file that contains
> HorusTomcatBasicAuthenticator.jar from the tomcat/lib-folder I'm getting
> an error.
>
> Any ideas on that? I've looked into the tomcat 8.5 migration guide but
> could not find any hints on changed behaviour.
<quote>
Whilst the Tomcat 8.5 internal API is broadly compatible with Tomcat 8.0
there have been many changes at the detail level and they are not binary
compatible. Developers of custom components that interact with Tomcat's
internals should review the JavaDoc for the relevant API.
</quote>
->
http://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/authenticator/AuthenticatorBase.html
and
http://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/authenticator/BasicAuthenticator.html
Of particular note will be changes related to authenticate() and
doAuthenticate().
> Also when comparing the
> Valve-Documentation of Tomcat 8.5 and 8.0 I do not see a difference.
>
> Or would it be better to address this with d...@tomcat.apache.org
> <mailto:d...@tomcat.apache.org> since it might as well be a bug?
No. The users list is the right place for this.
> Or is there a more elegant way to solve this problem to not reply with
> "WWW-Authenticate: Basic" if authentication is not succesful?
Maybe just change the status code to 403?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
