aspose file tools*
The moose likes Servlets and the fly likes BASIC authenication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "BASIC authenication" Watch "BASIC authenication" New topic
Author

BASIC authenication

Hari babu
Ranch Hand

Joined: Jun 25, 2001
Posts: 208
Hi all,
When i use the BASIC authentication, the application provides me a dialog box to enter "userName" and "password". Will this autheniticate against my application user data source ?
If yes how does the server know my user data source ?
if no then against which source does it authenticate ? Is the file "tomcat-users.xml" in apache tomcat used for this purpose ?
If the server checks authenticates against its own user data source how do i change that to authenticate against my application data source.
Please help
Hari
Maulin Vasavada
Ranch Hand

Joined: Nov 04, 2001
Posts: 1871
hi hari
there are "Webserver specific" ways of doing what you want. because every webserver has some way of figuring out that there is "basic auth" header in the request and it has to do "certain thing- certain code execution" to handle that basic-auth header.
now we need to identify "that" intercepting part where it is executing the code to authenticate the user displaying the window and tweak it (i am sure every webserver provides such flexibility) to call "our customized code" to be executed as auth check.
but we will have to return a server specific Succes s or Failure code so that webserver can re-popup the dialogbox if it was a failure...
i will need to look into Tomcat4.0.5 to see how does Tomcat work in this respect. I have used iPlanet4.1 ES. i know we can do it with iPlanet using AuthTrans fn (though i 've never done it as i dont have that admin access)
regards
maulin
Vikas Aggarwal
Ranch Hand

Joined: Jun 22, 2001
Posts: 140
The user data source must be there. See this example, this uses a simple hashtable for the user data source. You can use any other too.

import java.io.*;
import java.io.IOException;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import com.oreilly.servlet.Base64Decoder;
public class CustomAuth extends HttpServlet {
Hashtable users = new Hashtable();
public void init(ServletConfig config) throws ServletException {
super.init(config);
// Names and passwords are case sensitive!
users.put("vikas:aggarwal", "allowed");
}
public void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
res.setContentType("text/plain");
PrintWriter out = res.getWriter();
// Get Authorization header
String auth = req.getHeader("Authorization");
try
{
// Do we allow that user?
if (!allowUser(auth)) {
// Not allowed, so report he's unauthorized
res.setHeader("WWW-Authenticate", "BASIC realm=\"users\"");
res.sendError(res.SC_UNAUTHORIZED);
// Could offer to add him to the allowed user list
}
else {
// Allowed, so show him the secret stuff
out.println("Top-secret stuff");
}
}
catch(Exception ex)
{
}
}
// This method checks the user information sent in the Authorization
// header against the database of users maintained in the users Hashtable.
protected boolean allowUser(String auth) throws Exception, IOException {
if (auth == null) return false; // no auth
if (!auth.toUpperCase().startsWith("BASIC "))
return false; // we only do BASIC
// Get encoded user and password, comes after "BASIC "
String userpassEncoded = auth.substring(6);
// Decode it, using any base 64 decoder (we use com.oreilly.servlet)
String userpassDecoded = Base64Decoder.decode(userpassEncoded);
// Check our user list to see if that user and password are "allowed"
if ("allowed".equals(users.get(userpassDecoded)))
return true;
else
return false;
}
}


Vikas Aggarwal

Founder @
Leads and Deals Limited

www.LeadsAndDeals.com
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: BASIC authenication