wood burning stoves*
The moose likes Tomcat and the fly likes Using MemoryRealm to protect JSP application. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Using MemoryRealm to protect JSP application." Watch "Using MemoryRealm to protect JSP application." New topic
Author

Using MemoryRealm to protect JSP application.

Rudy Rusli
Ranch Hand

Joined: Jun 01, 2006
Posts: 114
I'm using MemoryRealm to protect my JSP application.

It works just fine: User will need to enter the username and password in a pop-up box before they can enter the JSP.

My question is:
Is there any built-in capability that I can put in in my web.xml/ somewhere else so that let say after some periods of inactivity, the pop-up box will show up again and the user will be required to enter username and password again?

Thanks.
Tarun Yadav
Ranch Hand

Joined: Sep 20, 2007
Posts: 134
The dialog box only appears when the client ( the browser ) sends a request to the server for a protected resource and the user is not logged in. The server then sends back a response indicating that the user needs to authenticate himself to access that resource. That's when the dialog appears.

I'm not exactly sure when it would appear again but from what I've experienced, it won't happen on a session timeout. I don't think you can control it; it only appears when the authentication is required for the first time or subsequently fails.

On the other hand, if you used FORM based login, you could redirect your user to the login page on session timeout and require him to login again.

EDIT: As I understand it, I suspect that it works this way:
1. You attempt to access a protected page
2. The server sends back a response asking you for authentication
3. The browser displays the dialog and you enter the details
4. If it's invalid, repeat from 2.
5. Else, the server then sends your the correct response.
6. If you attempt to access the protected resource again, the browser preemptively sends your userid/ password with the very first request, so you don't have to enter it again. However, should it fail for some reason, you'll repeat from 2.

Take a look at these, esp the last link: http://en.wikipedia.org/wiki/Basic_authentication_scheme
http://www.httprevealer.com/article_basic_authentication.htm
http://httpd.apache.org/docs/1.3/howto/auth.html#basic
[ October 03, 2007: Message edited by: Tarun Yadav ]
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Using MemoryRealm to protect JSP application.