Form-based and Basic Authentication
We have some content that we would like to protect that is accessible directly from a Web Server without going through an App Server.
The App Server handles authentication using forms for most of the site, but we also have assets, hosted by the Web Server, that we would like only authenticated users to have access to.
Is it possible to authenticate the user on the App Server, and somehow 'pre-authenticate' them for Basic Authentication so that when they hit the protected resource on the Web Server they are not presented with a dialog box and asked to re-authenticate again?
You can separate your web server from your application server and only authenticate on the application server.
Or only set up your web.xml so only application url's are protected and not those to the static content considered to be on the web server. You can use the <url-pattern> tag to specify what url's you want protected.
It sounds like the pre-authentication solution is to just not authenticate until the user requests resources that you actually want them to log in to be able to access.
eglerk at 2007-6-29 10:16:38 >
I don't believe there is any really clean way of doing that (which would be having a nice cross-platform browser API for seeding such information). However, one not so clean way of doing it (which appears to work in most modern browsers) is to use some URL tricks. From the web application, you could have a link to the web server which works like this:
<a href="http://username:password@web-server/resources">Web Server</a>
You know the user name and password from the web application so it's a fairly simple matter to pass them in this fashion. In both Netscape and I.E., this prevents the window from coming up (and it does store the information for subsequent requests). If you don't want the user name and password showing up in the status bar, there are some JavaScript tricks to play, such as:
<a href="http://username:password@web-server/resources" onMouseOver="window.status='http://web-server/resource';">Web Server</a.>
The above will make it look like a normal link in most JavaScript-aware browsers ...
Good luck,
-Derek
