P.S. If none of this is possible in any quasi-portable manner, I'd still
be interested in how to do it just for Tomcat 5.5.x.
Jess Holle wrote:
Does anyone have any pointers as to how one can achieve form-based
authentication with an "out" for basic authentication?
Essentially given programmatic clients that expect a protocol level
authentication mechanism like HTTP Basic and human clients that are
more comfortable with form based authentication, the desire would be
to have each URL do form based authentication except where the
user-agent or headers suggest thatt basic authentication is more
appropriate. After initial login cookie-based behavior is acceptable
in either case. What is not realistic, however, is to expect every
programmatic client to know about form based login, which is, after
all, an ad hoc application-level convention (albeit formalized in the
servlet spec) rather than a protocol-handler-level standard.
What I'm looking for is pointers to do this in a way that will be
portable across all servlet 2.4 and higher servlet engines.
Somewhat separately we may end up with our own custom realm (or
realm-like object) at least in cases where we can get a hold of this
layer as only being able to check a single LDAP is not a realistic
constraint these days. [Tomcat's JNDI realm allow you to provide an
alternate URL when the first URL is unreachable, but what's needed is
a list of URLs where the first containing data for a given user id
wins. One could/should constrain the URLs to not contain overlapping
user id sets, of course.]
--
Jess Holle
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
