1 Reply Latest reply on Jan 25, 2005 8:40 AM by mate vxvcx

    tomcat-5.0.27 authentication/authorization

    mate vxvcx Newbie

      Can I change authorization parameters in code?

      I found this:

      "1. Check whether there is an Authorization header. If there is
      no such header, go to Step 2. If there is, skip over the word
      "basic" and reverse the base64 encoding of the remaining part.
      This results in a string of the form username:password. Check
      the username and password against some stored set. If it
      matches, return the page. If not, go to Step 2.

      2. Return a 401 (Unauthorized) response code and a header of
      the following form:
      WWW-Authenticate: BASIC realm="some-name"
      This response instructs the browser to pop up a dialog box telling
      the user to enter a name and password for some-name, then
      to reconnect with that username and password embedded in a
      single base64 string inside the Authorization header."

      Also if <auth-method>BASIC</auth-method> then
      request.getHeader("Authorization"); return something like this "Basic
      YWRtaW46YWRtaW4=" (this is for admin:admin ), but if
      <auth-method>FORM</auth-method> then request.getHeader("Authorization");
      return null.
      Where is it? In session?

      I use this for decoding:
      String authorization = request.getHeader("Authorization");
      String userInfo = authorization.substring(6).trim();
      BASE64Decoder decoder = new BASE64Decoder();
      String nameAndPassword =
      new String(decoder.decodeBuffer(userInfo));
      int index = nameAndPassword.indexOf(":");
      String user = nameAndPassword.substring(0, index);
      String password = nameAndPassword.substring(index+1);

      I try with admin:admin and with sun.misc.BASE64Encoder make encode, and with
      response.setHeader("Authorization", "Basic YWRtaW46YWRtaW4="), but nothing
      happen and I can't get secure pages?

      So, can I /addchange authorization parameters in code or server can only do

        • 1. Re: tomcat-5.0.27 authentication/authorization
          mate vxvcx Newbie

          No one know?

          OK, is it somehow possible to put with servlet same data that server put after successfully check user name and password in <auth-method>, BASIC or FORM?

          I want to use my own login way and I need to put this data so web server can exchange this data with EJB server.
          Or there is another way how to send role info to EJB server?

          Help me!!!