On 03/10/2016 14:20, Johannes Michler wrote:
> Hi Mark,
>
> Thanks a lot for pointing out. Indeed I relied to much that I did not get
> any faults and didn't check that part. I'll try with the renamed method
> tomorrow, but I'm quite sure that will solve the issue.
Great.
> Regarding returning http 403 you suggest to do that in our custom
> basicauthenticator as well, correct? But this would still require us to
> install a tomcat version specific library globally, wouldn't it?
It would. I don't see a way to avoid this with custom code at this point.
Mark
>
> Br
> Johannes
>
> Am 03.10.2016 15:01 schrieb "Mark Thomas" <ma...@apache.org>:
>
> On 01/10/2016 18:50, Johannes Michler wrote:
>> Hi,
>>
>> for our own web-application we overwrite the standard way of how Tomcat
>> BasicAuthenticator is working in order to avoid the popup of a
>> "Basic-Auth-Dialog" in some situations (where we're calling a service
>> provided by the tomcat over a script). Therefore our context.xml in the
>> app looks as follows:
>>
>> <Context cookies="false">
>> <Valve
>> className="biz.horus.database.server.servletscript.
> HorusTomcatBasicAuthenticator"
>> />
>> </Context>
>>
>> HorusTomcatBasicAuthenticator is implemented as follows:
>> public class HorusTomcatBasicAuthenticator extends BasicAuthenticator
>> implements Authenticator {
>>
>> @Override
>> public boolean authenticate( Request request, HttpServletResponse
>> response) throws IOException {
>> System.out.println( "XXXX start out");
>> boolean result = super.authenticate( request, response);
>> System.out.println( "XXXX authenticate: " + result);
>> modifyResponse( request, response);
>> return result;
>> }
>> private void modifyResponse( Request request, HttpServletResponse
>> response) {
>> String url = request.getPathInfo();
>> System.out.println( "XX URL=" + url);
>> System.out.println( "XX Auth Header:" + response.getHeader(
>> AUTH_HEADER_NAME));
>> if ( response.getHeader( AUTH_HEADER_NAME) != null &&
>> url.startsWith( "/rest"))
>> response.setHeader( AUTH_HEADER_NAME, "HCP_BASIC");
>> }
>>
>> }
>>
>>
>> This is working great with Tomcat 8.0(.37). Though with Tomcat 8.5.5
>> that code in "authenticate" is no longer called. Instead it seams that
>> the "standard" BasicAuthenticator is being used.
>>
>> However if I entirely remove my jar-file that contains
>> HorusTomcatBasicAuthenticator.jar from the tomcat/lib-folder I'm getting
>> an error.
>>
>> Any ideas on that? I've looked into the tomcat 8.5 migration guide but
>> could not find any hints on changed behaviour.
>
>
> <quote>
> Whilst the Tomcat 8.5 internal API is broadly compatible with Tomcat 8.0
> there have been many changes at the detail level and they are not binary
> compatible. Developers of custom components that interact with Tomcat's
> internals should review the JavaDoc for the relevant API.
> </quote>
>
> ->
> http://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/
> catalina/authenticator/AuthenticatorBase.html
>
> and
>
> http://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/
> catalina/authenticator/BasicAuthenticator.html
>
>
> Of particular note will be changes related to authenticate() and
> doAuthenticate().
>
>
>> Also when comparing the
>> Valve-Documentation of Tomcat 8.5 and 8.0 I do not see a difference.
>>
>> Or would it be better to address this with d...@tomcat.apache.org
>> <mailto:d...@tomcat.apache.org> since it might as well be a bug?
>
> No. The users list is the right place for this.
>
>> Or is there a more elegant way to solve this problem to not reply with
>> "WWW-Authenticate: Basic" if authentication is not succesful?
>
> Maybe just change the status code to 403?
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
