<Sorry for top post: Notes e-mail client restriction> If you configure Tomcat to NOT require authentication for this particular servlet, then your servlet can examine the credentials, and if they are absent or insufficient, send a 401 - Not Authorized response, which causes the browser to prompt for id/pass. You can also manipulate the "realm" identified in that prompt by adding a WWW-Authenticate header to the 401 response: WWW-Authenticate: Basic realm="My Document Management System"
I'm not sure if tomcat will interpret the resulting "Authorization" header in the next request, given that you asked him not to authenticate, but you can always ask for the contents of that header, strip off the "Basic " from the front, and Base64.decode the rest, yielding userid:password. Split on the ":" and you have your id and password. Please respond to "Tomcat Users List" <users@tomcat.apache.org> To: Tomcat Users List <users@tomcat.apache.org> cc: Subject: servlet and HTTP authentication -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all; gotta solve a very special authentication situation: Users need to have access to certain file packages using an URL like http://.../packages/<package-id> with <package-id> referring to an identifier stored in a local document management system. User information (id, password) are stored in the DMS database as well. To provide access to a certain package, I need to ensure (a) the user is valid (thus, has authenticated) (b) the user is owner of the package (which I can find out using the DMS database as well) However, following this approach I cannot use container-based authentication as the DBMS user management repository is not easily accessible via such a configuration but there are Java classes to authenticate the user using an API which to be called from another Java class, a servlet, ... So, my question: Is there a way to configure Tomcat that, for a given servlet or resource, a HTTP authentication window will appear and, then, the data entered there (username, password) is given to the servlet in order to do anything useful with it? I _suppose_ those parameters should be available as part of the Request, but I don't know how to make tomcat demand HTTP authentication _without_ automatically validating these parameters. Any hints on that? TIA and bye, Kristian - -- Kristian Rink * http://zimmer428.net * jab: [EMAIL PROTECTED] icq: 48874445 * fon: ++49 176 2447 2771 "Wenn einer allein träumt, ist es nur ein Traum. Wenn viele gemeinsam träumen, ist das der Anfang einer neuen Wirklichkeit." (Hundertwasser) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEyNnIcxBAPOA1m6wRAiUDAJ0dye/TauPE+I6aN/zozzGbIDWA1gCfWaV5 GP9iBHbOOjIsMPA1TLIq+/s= =1z5/ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]