Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

BASIC authenication  RSS feed

Hari babu
Ranch Hand
Posts: 208
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,
When i use the BASIC authentication, the application provides me a dialog box to enter "userName" and "password". Will this autheniticate against my application user data source ?
If yes how does the server know my user data source ?
if no then against which source does it authenticate ? Is the file "tomcat-users.xml" in apache tomcat used for this purpose ?
If the server checks authenticates against its own user data source how do i change that to authenticate against my application data source.
Please help
Maulin Vasavada
Ranch Hand
Posts: 1873
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hi hari
there are "Webserver specific" ways of doing what you want. because every webserver has some way of figuring out that there is "basic auth" header in the request and it has to do "certain thing- certain code execution" to handle that basic-auth header.
now we need to identify "that" intercepting part where it is executing the code to authenticate the user displaying the window and tweak it (i am sure every webserver provides such flexibility) to call "our customized code" to be executed as auth check.
but we will have to return a server specific Succes s or Failure code so that webserver can re-popup the dialogbox if it was a failure...
i will need to look into Tomcat4.0.5 to see how does Tomcat work in this respect. I have used iPlanet4.1 ES. i know we can do it with iPlanet using AuthTrans fn (though i 've never done it as i dont have that admin access)
Vikas Aggarwal
Ranch Hand
Posts: 140
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The user data source must be there. See this example, this uses a simple hashtable for the user data source. You can use any other too.

import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import com.oreilly.servlet.Base64Decoder;
public class CustomAuth extends HttpServlet {
Hashtable users = new Hashtable();
public void init(ServletConfig config) throws ServletException {
// Names and passwords are case sensitive!
users.put("vikas:aggarwal", "allowed");
public void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
PrintWriter out = res.getWriter();
// Get Authorization header
String auth = req.getHeader("Authorization");
// Do we allow that user?
if (!allowUser(auth)) {
// Not allowed, so report he's unauthorized
res.setHeader("WWW-Authenticate", "BASIC realm=\"users\"");
// Could offer to add him to the allowed user list
else {
// Allowed, so show him the secret stuff
out.println("Top-secret stuff");
catch(Exception ex)
// This method checks the user information sent in the Authorization
// header against the database of users maintained in the users Hashtable.
protected boolean allowUser(String auth) throws Exception, IOException {
if (auth == null) return false; // no auth
if (!auth.toUpperCase().startsWith("BASIC "))
return false; // we only do BASIC
// Get encoded user and password, comes after "BASIC "
String userpassEncoded = auth.substring(6);
// Decode it, using any base 64 decoder (we use com.oreilly.servlet)
String userpassDecoded = Base64Decoder.decode(userpassEncoded);
// Check our user list to see if that user and password are "allowed"
if ("allowed".equals(users.get(userpassDecoded)))
return true;
return false;
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!