I am writing a tomcat app, and have a need to do authentication within the URL like this:
https://user:[email protected]
Except for the life of me i'm not sure how to set it up or able to find the docs to read up on it, clearly my google skills need work.
Can anyone tell me where i should be looking for this kind of info or where to start?
Cheers
Andy
I don't think that's a legal URL. If I'm reading the RFC correctly, '@' aren't legal in the host section - app.wibble.com - of a URL and http urls don't have the user and password sections. Email and FTP ones do, but not http.
Maybe https://app.wibble.com/user/password, but I'd advise against putting the password in the URL. It'd end up in some cache where it can be found.
It's up to the client to take the credentials from the URL and put them into the correct headers for the supported authentication method (like HTTP Basic or Digest). The server will just receive the location ("/", in this case) and the WWW-Authenticate header, which should be processed by Tomcat if you have container-managed authentication set up correctly.
Authenticating that way is called HTTP BASIC, which may help with your searching :)
Essentially you need an element in your web.xml like this
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myRealm</realm-name>
</login-config>
Then you need to set up a realm for your users:
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Configuring%20a%20Realm
Then you need to create some users in the tomcat-users.xml file
Now you can start using <security-constraint> elements in your web.xml to manage access.
As an aside, with modern browsers, you must actually use container managed security if you want to use BASIC. Sometimes people try to parse the request in a servlet and get a username/password out of it. Modern browsers will 'protect' you from disclosing your password needlessly by not putting the login and password in the header unless an initial call to the server without it fails with a challenge for BASIC credentials.