File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes Can you bypass login screen? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Can you bypass login screen?" Watch "Can you bypass login screen?" New topic

Can you bypass login screen?

Kelly Dolan
Ranch Hand

Joined: Jan 08, 2002
Posts: 109
Is there any way a client browser can bypass a login screen to a protected servlet (e.g., requiring BASIC or FORM authentication) by passing in its login credentials with the request?

Specifically, I'm using JBoss and I have the following scenario. I'm open to suggestions in the case I'm doing something really strange.

I have a requirement to allow a user to authenticate with my web application via a certificate or user id/password. Since a WAR file can only be configured one way, I'm considering standing up a dummy servlet configured for certificate authentication which will then redirect (in some way) the request to the application which is configured for user id/password authentication. The dummy servlet will be able to, given the certificate, look up the user id/password for the user so it has the information the application needs to authenticate. However, I have not found a way to pass this information to the application in such a way that if provided, the login screen is not displayed. The application needs to be protected because users that do not have a certificate will go directly to the application URL and will need to be prompted for a user id/password.

Thanks to any and all help!
I agree. Here's the link:
subject: Can you bypass login screen?
It's not a secret anymore!