1 Reply Latest reply on Jan 27, 2005 3:54 AM by starksm64

    Can I bypass the login screen?

    kdolan1

      Is there any way a client browser can bypass a login screen to a protected servlet (e.g., requiring BASIC or FORM authentication) by passing in its login credentials with the request?

      Specifically, I have the following scenario. I'm open to suggestions in the case I'm doing something really strange.

      I have a requirement to allow a user to authenticate with my web application via a certificate or user id/password. Since a WAR file can only be configured one way, I'm considering standing up a dummy servlet configured for certificate authentication which will then redirect (in some way) the request to the application which is configured for user id/password authentication. The dummy servlet will be able to, given the certificate, look up the user id/password for the user so it has the information the application needs to authenticate. However, I have not found a way to pass this information to the application in such a way that if provided, the login screen is not displayed. The application needs to be protected because users that do not have a certificate will go directly to the application URL and will need to be prompted for a user id/password.

      Thanks to any and all help!

        • 1. Re: Can I bypass the login screen?
          starksm64

          You can mimic what a user browser would do. BASIC allows the username/password to be encoded in the request headers. FORM auth requires redirection to the form in the context of the session. The jboss testsuite module in the source releases shows how both can be done. See the HttpClient usage in the org.jboss.test.web.test package.