Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
The moose likes Security and the fly likes Can you bypass login screen? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Can you bypass login screen?" Watch "Can you bypass login screen?" New topic

Can you bypass login screen?

Kelly Dolan
Ranch Hand

Joined: Jan 08, 2002
Posts: 109
Is there any way a client browser can bypass a login screen to a protected servlet (e.g., requiring BASIC or FORM authentication) by passing in its login credentials with the request?

Specifically, I'm using JBoss and I have the following scenario. I'm open to suggestions in the case I'm doing something really strange.

I have a requirement to allow a user to authenticate with my web application via a certificate or user id/password. Since a WAR file can only be configured one way, I'm considering standing up a dummy servlet configured for certificate authentication which will then redirect (in some way) the request to the application which is configured for user id/password authentication. The dummy servlet will be able to, given the certificate, look up the user id/password for the user so it has the information the application needs to authenticate. However, I have not found a way to pass this information to the application in such a way that if provided, the login screen is not displayed. The application needs to be protected because users that do not have a certificate will go directly to the application URL and will need to be prompted for a user id/password.

Thanks to any and all help!
I agree. Here's the link:
subject: Can you bypass login screen?
It's not a secret anymore!