Does anyone have any pointers as to how one can achieve form-based
authentication with an "out" for basic authentication?
Essentially given programmatic clients that expect a protocol level
authentication mechanism like HTTP Basic and human clients that are more
comfortable with form based authentication, the desire would be to have
each URL do form based authentication except where the user-agent or
headers suggest thatt basic authentication is more appropriate. After
initial login cookie-based behavior is acceptable in either case. What
is not realistic, however, is to expect every programmatic client to
know about form based login, which is, after all, an ad hoc
application-level convention (albeit formalized in the servlet spec)
rather than a protocol-handler-level standard.
What I'm looking for is pointers to do this in a way that will be
portable across all servlet 2.4 and higher servlet engines.
Somewhat separately we may end up with our own custom realm (or
realm-like object) at least in cases where we can get a hold of this
layer as only being able to check a single LDAP is not a realistic
constraint these days. [Tomcat's JNDI realm allow you to provide an
alternate URL when the first URL is unreachable, but what's needed is a
list of URLs where the first containing data for a given user id wins.
One could/should constrain the URLs to not contain overlapping user id
sets, of course.]
--
Jess Holle
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
