-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André,
On 12/9/2009 5:40 PM, André Warnier wrote: > Ok, my try here. And by the same token - haha - I will give a chance to > Chris to jump in. Sure, why not? > - there is (preferably) one application. As Chuck is saying, it should > not care /how/ the user was authenticated, just that he is. > That's just a getRemoteUser() for you, isn't it? +1 > - unfortunately, the Holy Servlet Spec does not foresee nor allow that 2 > alternative methods of authentication would be used. +1 > This looks to me the perfect case for a servlet filter. +1 > The filter applies to all requests to the webapp. - -1 (see below) > - the request itself contains an "Authorization:" header. [or] > - the request contains an authentication cookie (header). [or] > B) Neither of the above is true, so the request is not authenticated. I think Anthony wants to /always/ use FORM for some URLs, and /always/ use BASIC for others. He hasn't said whether he wants either authentication to allow access to the "other" part of the site. securityfilter (http://securityfilter.sourceforge.net) can be tricked into doing this. Although the standard operating procedure is to map sf to all URLs (i.e. <url-pattern>/*</url-pattern), one can choose to map it to different patterns and deploy it /twice/: <filter> <filter-name>Security Filter BASIC</filter-name> <filter-class>org.securityfilter.filter.SecurityFilter</filter-class> <init-param> <param-name>config</param-name> <param-value>/WEB-INF/securityfilter-basic.xml</param-value> </init-param> </filter> <filter> <filter-name>Security Filter FORM</filter-name> <filter-class>org.securityfilter.filter.SecurityFilter</filter-class> <init-param> <param-name>config</param-name> <param-value>/WEB-INF/securityfilter-form.xml</param-value> </init-param> </filter> ... <!-- /secure/yyy -->Form based auth /secure/xxx -->Form based auth /public/ -->Form based auth /secure/xml/ -->basic auth /xml/ -->basic auth - --> <filter-mapping> <filter-name>Security Filter FORM</filter-name> <url-pattern>/secure/yyy/*</url-pattern> <url-pattern>/secure/xxx/*</url-pattern> <url-pattern>/public/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>Security Filter BASIC</filter-name> <url-pattern>/secure/xml/*</url-pattern> <url-pattern>/xml/*</url-pattern> </filter-mapping> Now, you simply have to configure each filter's instance with a different configuration file (one using BASIC, one using FORM) and you're good to go. URLs that don't match any of the patterns above will basically be unable to correctly use request.isUserInRole() and request.getPrincipal(), so you ought to think about that very carefully. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkshfLoACgkQ9CaO5/Lv0PCxngCgsk79GtCJC7BO8Yj8gMrAlOu5 wbEAnj4Lz1lnsYyxSS4Q1EddWlB/Hrrd =4vCr -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org