On 03/10/2016 14:20, Johannes Michler wrote: > Hi Mark, > > Thanks a lot for pointing out. Indeed I relied to much that I did not get > any faults and didn't check that part. I'll try with the renamed method > tomorrow, but I'm quite sure that will solve the issue.
Great. > Regarding returning http 403 you suggest to do that in our custom > basicauthenticator as well, correct? But this would still require us to > install a tomcat version specific library globally, wouldn't it? It would. I don't see a way to avoid this with custom code at this point. Mark > > Br > Johannes > > Am 03.10.2016 15:01 schrieb "Mark Thomas" <ma...@apache.org>: > > On 01/10/2016 18:50, Johannes Michler wrote: >> Hi, >> >> for our own web-application we overwrite the standard way of how Tomcat >> BasicAuthenticator is working in order to avoid the popup of a >> "Basic-Auth-Dialog" in some situations (where we're calling a service >> provided by the tomcat over a script). Therefore our context.xml in the >> app looks as follows: >> >> <Context cookies="false"> >> <Valve >> className="biz.horus.database.server.servletscript. > HorusTomcatBasicAuthenticator" >> /> >> </Context> >> >> HorusTomcatBasicAuthenticator is implemented as follows: >> public class HorusTomcatBasicAuthenticator extends BasicAuthenticator >> implements Authenticator { >> >> @Override >> public boolean authenticate( Request request, HttpServletResponse >> response) throws IOException { >> System.out.println( "XXXX start out"); >> boolean result = super.authenticate( request, response); >> System.out.println( "XXXX authenticate: " + result); >> modifyResponse( request, response); >> return result; >> } >> private void modifyResponse( Request request, HttpServletResponse >> response) { >> String url = request.getPathInfo(); >> System.out.println( "XX URL=" + url); >> System.out.println( "XX Auth Header:" + response.getHeader( >> AUTH_HEADER_NAME)); >> if ( response.getHeader( AUTH_HEADER_NAME) != null && >> url.startsWith( "/rest")) >> response.setHeader( AUTH_HEADER_NAME, "HCP_BASIC"); >> } >> >> } >> >> >> This is working great with Tomcat 8.0(.37). Though with Tomcat 8.5.5 >> that code in "authenticate" is no longer called. Instead it seams that >> the "standard" BasicAuthenticator is being used. >> >> However if I entirely remove my jar-file that contains >> HorusTomcatBasicAuthenticator.jar from the tomcat/lib-folder I'm getting >> an error. >> >> Any ideas on that? I've looked into the tomcat 8.5 migration guide but >> could not find any hints on changed behaviour. > > > <quote> > Whilst the Tomcat 8.5 internal API is broadly compatible with Tomcat 8.0 > there have been many changes at the detail level and they are not binary > compatible. Developers of custom components that interact with Tomcat's > internals should review the JavaDoc for the relevant API. > </quote> > > -> > http://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/ > catalina/authenticator/AuthenticatorBase.html > > and > > http://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/ > catalina/authenticator/BasicAuthenticator.html > > > Of particular note will be changes related to authenticate() and > doAuthenticate(). > > >> Also when comparing the >> Valve-Documentation of Tomcat 8.5 and 8.0 I do not see a difference. >> >> Or would it be better to address this with d...@tomcat.apache.org >> <mailto:d...@tomcat.apache.org> since it might as well be a bug? > > No. The users list is the right place for this. > >> Or is there a more elegant way to solve this problem to not reply with >> "WWW-Authenticate: Basic" if authentication is not succesful? > > Maybe just change the status code to 403? > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org