users@glassfish.java.net

Re: Easiest and most portable way to authenticate programatically.

From: Felipe Gaścho <fgaucho_at_gmail.com>
Date: Wed, 10 Feb 2010 13:22:48 +0100

if you enable the security manager and use container managed
authentication, BASIC authentication is for free....

To handle that programatically seems simpler at first glance, but soon
you realize how messy it is...

I strongly suggest you to delegate to Glassfish the security part of
your application....

On Wed, Feb 10, 2010 at 1:19 PM, <glassfish_at_javadesktop.org> wrote:
> Hi guys,
>
> Thank you for the replies.  It looks like I may be able to get either of those suggestions working.  I think the new functionality in Servlet 3.0 will do what I need.
>
> I can collect credentials on the client side and successfully login using HttpServletRequest#login.  I'm struggling with subsequent requests though.  It's basically the part that jszczepankiewicz lists as 'step 2' in the first reply.
>
> I've been trying to do some trial and error to figure things out, but it's very time consuming.  Is there something I can add to HttpServletResponse (headers) that will cause the browser to treat subsequent requests the same as BASIC authentication (send credentials with every request)?
>
> Initially I assumed that once I called login(userid, password) that my client (app) would stay authenticated for the rest of the session and the browser would take care of adding the appropriate auth headers to subsequent requests, but it doesn't appear to work that way.  Now that I understand things a bit better, would it be correct to say that once I authenticate programatically I'll be responsible for attaching the appropriate auth info / credentials to all subsequent requests?
>
> jszczepankiewicz, if you'd be willing to share you solution I'd be extremely grateful (ryan-jszc_at_jptech.ca).  The solution you described is very similar to what I'm hoping to end up with, but I'm really struggling with the Flex side of things at the moment.  I haven't tried it yet, but I know enough now that I should be able to do the following:
>
> 1) Authenticate via HttpServletRequest#login.
> 2) Store valid credentials / auth info in my Flex application.
> 3) Add the appropriate headers / credentials to outbound http requests.
>
> Unfortunately the same thing won't work for a (Flex) RemoteObject.  I'll post on the Flex forums to get help with that though.  I'm hoping there's a way I can intercept outbound http requests in my Flex client and add auth info / credentials.  I'm also not positive how (or if I need to) deal with session timeouts.
>
> Thanks again for the replies.  Any more clarification / suggestions anyone can give me will be appreciated.
>
> Ryan
>
> P.S.  I'll second jszczepankiewicz's thank you for JSR196.  It looks like it'll be very useful if I ever need to use OpenID, Facebook Connect, etc...
> [Message sent by forum member 'jptech' (ryan_at_jptech.ca)]
>
> http://forums.java.net/jive/thread.jspa?messageID=385865
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>



-- 
------------------------------------------
   Felipe Gaścho
   10+ Java Programmer
   CEJUG Senior Advisor