Re: WO and Apache Basic HTTP authentication
Re: WO and Apache Basic HTTP authentication
- Subject: Re: WO and Apache Basic HTTP authentication
- From: Anjo Krank <email@hidden>
- Date: Tue, 21 Sep 2004 17:09:45 +0200
You need to to sth like this and make sure that some_realm is the same
as in your PHP pages, which will make the browser send the credentials
on its own:
protected void decodeAuthorization() {
NSArray r = context().request().headersForKey("authorization");
String up = null;
if (r != null && r.count() > 0) {
String username = null;
String password = null;
up = (String)r.objectAtIndex(0);
if (up.startsWith("Basic ")) {
up = up.substring("Basic ".length());
}
sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder();
byte[] decodedBytes = null;
try {
decodedBytes = dec.decodeBuffer(up);
up = new String(decodedBytes);
up.trim();
if(up.length() > 0 && up.indexOf(":") > 0) {
username = up.substring(0, up.indexOf(":"));
password = up.substring(up.indexOf(":") + 1, up.length());
}
} catch (IOException e) {
log.error(e, e);
}
setCredentials(username, password);
}
}
public void appendToResponse(WOResponse r, WOContext c) {
decodeAuthorization();
if(user() != null) {
super.appendToResponse(r, c);
} else {
r.setStatus(401);
r.setHeader("Basic realm=some_realm", "WWW-Authenticate");
r.setContent("<h1>access denied</h1>");
}
}
Am 21.09.2004 um 16:54 schrieb Benjamin Adair:
Morning all.
I have written about this before, but I'll recap.
Our website uses basic http authentication, driven by mod_mysql and a
mysql database to provide authentication into the various private
sections of our web site. I have been working on including that http
authentication into my WebObjects applications for those that need to
be included. However, I realized today and remembered with help from
Francis's reply earlier this year that things will not work as hoped:
Finally, if you need to provide an easy way for your user to browse
back and forth from the static protected area to the WebObjects
application without having to authenticate twice, I'm afraid I'm not
sure it's possible. Maybe you can to create special trick to pass
the proper header...
Should a user log in and browse to my WO application they would have
to re-authenticate. Which is what will happen when a user goes from
/Private/SomeStuff.html -> /cgi-bin/WebObjects/MyApplication.
Has anyone worked with this sort of deployment environment? Is it
possible to fool the browser/Apache via mod_rewrite that a particular
application is in /Private/MyApplication, so that the authorization
header would be passed within the request to my application? Or
perhaps, since the pages are coded in .php, would it be possible, as
Francis suggests, to add a header that would pass the info? Perhaps
passing the authorization directly in the URL? It would be ugly, but
my session-based applications already have the session ID in every URL
as it is.
Thank you in advance.
Ben
--
Benjamin Adair
Central Office Database Programmer/Analyst
Cancer & Leukemia Group B
Phone: 773-702-6731
Fax: 312-345-0117
Email: email@hidden
Web: http://www.calgb.org/
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
email@hidden
This email sent to email@hidden
Cheers, Anjo
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden