ansaurus

Question

Answer 1

A:

If you want to control what is displayed to the user for authentication, you can change the auth-method in the login-config section of the web.xml from BASIC to FORM.

Then you can specify what page should be displayed when the user is authenticating, and, I suppose, pre-fill the credentials for them...but doesn't this defeat the whole purpose of security?

Setting up Authentication for Web Applications

Edit after further details:

My only suggestion would be to change the auth-method to CLIENT-CERT and require two-way SSL, where the client is also required to present a certificate to the server. If you install the certificate into your embedded browser (and make sure external browsers can't get the certificate) then you should be OK. And actually this should stop any authentication dialog from being displayed.

Michael Sharek 2009-05-21 19:32:19

thanks for the reply. trying to figure best way to explain so here it goes...i wrote the web server, so essentially i want to stop someone from opening an external browser and putting in the localhost and port. my app has an embedded web browser linked to my written server. the browser displays decrypted content, so if i force the auth (even for my embedded browser), an external browser would need credentials. if my embedded browser is trying to access the files, i supply the credentials for the user and display the content.

2009-05-21 19:47:14

OK Ken, suggest you update your question with the details in this comment...I'll update my answer

Michael Sharek 2009-05-21 19:57:23

Thanks for your suggestions Michael. Still not sure what way I will use to get around the issue, but your ideas are useful.

2009-05-21 21:23:36

Answer 2

+1 A:

If you don't care about the password showing you can construct the URL so it passes the credentials ex. http://username:[email protected] This will by pass the authentication box but will show the user the credentials so also might not be what you are looking for.

RedWolves 2009-05-21 19:33:56

Thanks for your reply too. I would want this to happen in the background. the user wouldnt ever know the credentials were needed at all if they were logged into my app using my embedded browser. so i want to keep my credentials secret. this is so external browsers trying to get access to the same file/port would need credentials that they dont have. i supply the credentials for my embedded browser only

2009-05-21 19:52:46

Answer 3

A:

your question is a bit unclear. The whole basic authentication is based on HTTP Headers.

If the browser gets an authorization header than it displays the dialog. The content from the dialog is then send back to the server. There is nothing special about it. It iser username:password in base64 encoded. Have a look at

wikipedia

The problem is how you want to interfere. You would have to capture the authorization header and then for the next request you have to alter the HTTP header to include the credentials.

hope that helps

Norbert Hartl 2009-05-21 19:36:28

thanks. i have it already sending all headers back and forth, and i can access my content if i enter the credentials. i want to know how in java i can intercept that auth header (so the dialog doesnt get displayed) and fill in those credentials. exactly as you stated. a few of my comments above basically describe my app for your reference

2009-05-21 19:57:23

Answer 4

A:

I think this is mostly browser-dependent behavior and what the server reports to the browser.

For example, Internet Explorer, being a Microsoft product, directly supports automatic sending of Windows credentials (you can modify this behavior in your Internet Settings) after an anonymous request fails in a 401.

Firefox, for example, does not and will always prompt the user even if it was set to remember the id and password via the password manager. IE will also prompt if auto-login fails (such as your Windows credentials still result in a 401 because you're id isn't allowed).

I don't think, as a web developer, you have much control over this besides setting up your server and app to work in the most expected and harmonious way... if you could, this might get into black hat territory.

Yadyn 2009-05-21 19:37:26

Answer 5

A:

SWT 3.5M6 has a new listener within it call AuthenticationListener. It simply listens for authentication event passed from the server and is fired. The code below is what performs the behavior I wanted. It waits for the auth, and if the host is my application, it passes back the credentials. Of course fill in the USER_NAME, PASSWORD and HOST_NAME with appropriate variables. Otherwise it lets the browser auth dialog pop up and makes the user enter the credentials. This code can also be found in the Eclipse SWT snippets page:

webBrowser.addAuthenticationListener(new AuthenticationListener()

{

  public void authenticate(AuthenticationEvent event) {
   try {
    URL url = new URL(event.location);

    if (url.getHost().equals(HOST_NAME)) 
    {
     event.user = USER_NAME;
     event.password = PASSWORD;
    } 
    else 
    {  
     /* do nothing, let default prompter run */
    }
   } catch (MalformedURLException e) {
    /* should not happen, let default prompter run */
   }
  }
 });

2009-05-29 14:31:17

Did you get this to work? It seems to have no effect for me and the listener is never called.

willcodejavaforfood 2009-07-23 12:55:07

@willcodejavaforfood - This will work if its trying to AUTHENTICATE, not if it's trying to AUTHORIZE. I had the same problem you did where it never actually hit that code at all. I just passed credentials in the URL like RedWolves suggested.

Ryan Elkins 2010-05-11 18:19:42

@Ryan - Thanks :)

willcodejavaforfood 2010-05-12 08:14:55

ansaurus

tags:

views:

answers:

Over-ride Browser Authentication Dialog

related questions