Can I change authorization parameters in code?
I found this:
"1. Check whether there is an Authorization header. If there is
no such header, go to Step 2. If there is, skip over the word
"basic" and reverse the base64 encoding of the remaining part.
This results in a string of the form username:password. Check
the username and password against some stored set. If it
matches, return the page. If not, go to Step 2.
2. Return a 401 (Unauthorized) response code and a header of
the following form:
WWW-Authenticate: BASIC realm="some-name"
This response instructs the browser to pop up a dialog box telling
the user to enter a name and password for some-name, then
to reconnect with that username and password embedded in a
single base64 string inside the Authorization header."
Also if <auth-method>BASIC</auth-method> then
request.getHeader("Authorization"); return something like this "Basic
YWRtaW46YWRtaW4=" (this is for admin:admin ), but if
<auth-method>FORM</auth-method> then request.getHeader("Authorization");
Where is it? In session?
I use this for decoding:
String authorization = request.getHeader("Authorization");
String userInfo = authorization.substring(6).trim();
BASE64Decoder decoder = new BASE64Decoder();
String nameAndPassword =
int index = nameAndPassword.indexOf(":");
String user = nameAndPassword.substring(0, index);
String password = nameAndPassword.substring(index+1);
I try with admin:admin and with sun.misc.BASE64Encoder make encode, and with
response.setHeader("Authorization", "Basic YWRtaW46YWRtaW4="), but nothing
happen and I can't get secure pages?
So, can I /addchange authorization parameters in code or server can only do
No one know?
OK, is it somehow possible to put with servlet same data that server put after successfully check user name and password in <auth-method>, BASIC or FORM?
I want to use my own login way and I need to put this data so web server can exchange this data with EJB server.
Or there is another way how to send role info to EJB server?