Win a copy of The Java Performance Companion this week in the Performance forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Authentication

 
Anup Om
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

When FORM based authentication is used, the container creates a session and it uses this session to track further requests for constrained URLs (and not ask for login information again).

But, when BASIC authentication is used, how does the container track requests for constrained resources?

Thanks for help in advance.
 
Frits Walraven
Creator of Enthuware JWS+ V6
Saloon Keeper
Pie
Posts: 2407
93
Android Chrome Eclipse IDE
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Anu,

With BASIC authentication the same thing applies: it is up to the servlet container to handle that

According to the specs (SRV.12.6 Server Tracking of Authentication Information)
As the underlying security identities (such as users and groups) to which roles are
mapped in a runtime environment are environment specific rather than application
specific, it is desirable to:
1. Make login mechanisms and policies a property of the environment the web
application is deployed in.
2. Be able to use the same authentication information to represent a principal to
all applications deployed in the same container, and
3. Require re-authentication of users only when a security policy domain boundary
has been crossed.
Therefore, a servlet container is required to track authentication information
at the container level (rather than at the web application level). This allows users
authenticated for one web application to access other resources managed by the
container permitted to the same security identity.

This makes it even possible to be authenticated for a number of web applications in the same JRE.

Regards,
Frits
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic