Thanks for your reply. > Getting the user name and password > > String authorization = request.getHeader("Authorization"); > if (authorization == null) return 0; > > // Authorization headers looks like "Basic blahblah", > // where blahblah is the base64 encoded username and > // password. We want the part after "Basic ". > String userInfo = authorization.substring(6).trim(); > BASE64Decoder decoder = new BASE64Decoder(); > String nameAndPassword = ""; > try{ > nameAndPassword = new > String(decoder.decodeBuffer(userInfo)); > }catch ( IOException e ){} > // Decoded part looks like "username:password". > int index = nameAndPassword.indexOf(":"); > String user = nameAndPassword.substring(0, index); > user = user.trim(); > if(user == null) return 0; > String password = nameAndPassword.substring(index+1); > password = password.trim(); > if(password == null) return 0;
Yes, but now how do you validate the password is correct and check which roles? (Don't want to parse tomcat-users.xml, and we would like to be able to use the LDAP etc. plug ins.) I don't think that JAAS is hooked up at that level. > > To trigger the browser the headers look like this > response.setStatus(response.SC_UNAUTHORIZED); > response.setHeader("WWW-Authenticate", "BASIC > realm=\"User Check\""); Yes, that's essentially what I do. sendError is slightly better than setStatus. > > Tomcat seems to only check the Authorization: headers if there is some > <security-constraint> explicitly declared in web.xml. However, it > appears that the optimization has been incorrectly implemented because > it does not then recheck the header if request.isUserInRole(...) etc. > are called. So users cannot log into a system that uses > request.isUserInRole(...). > > More specifically, > my simple application tests request.isUserInRole(...) and > request.getRemoteUser(). If the user lacks permissions the application > sends a 401, and the user is prompted for a name/password which is sent > back as a Authorization: Basic dGltOlBhc3N3b3JkMQ== > > So far so good. But Tomcat then ignores the Authorization: header which > is correctly sent by the browser. > > The web.xml has > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>Agile UI: tim/Password1</realm-name> > </login-config> > in it. > > There is no <security-constraint> clause in the web.xml because I do not > want to declare them there. (They are instead declared internally as > part of a menuing system, which calls request.isUserInRole().) > > A hack to make Tomcat look at the Authorization: header is to add the > following to web.xml > > <security-constraint> > <web-resource-collection> > <web-resource-name>dbtest</web-resource-name> > <url-pattern>/dbtest/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>dummy<role-name> > </auth-constraint> > </security-constraint> > > In which case it works if one accepts the unwanted dummy query. > > Is it possible to tell Tomcat to always check the Authorization:? > > Alternatively, is it possible to grant the dummy role to anonymous > users? Do anonymous users have any role that could be added to a dummy > <security-constraint>? > > Is it possible for me to determine which users have which roles in my > application so that I can check the header myself? Ie. get at the > tomcat-users.xml style info, in a (fairly) web server independent > manner? > > Or going the other way, is it possible for webapp to easily find out > what roles are required for a given .jsp to run? (We want to grey out > menu items that a user has no access to.) > > My general feeling is that attempting to use Java Servlet security is > just wrong. One should simply do it oneself. > > Anthony > > -- > Dr Anthony Berglas > Ph. +61 7 3227 4410 > (Mob. +61 42 783 0248) > [EMAIL PROTECTED]; [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]