stackoom
  简体   繁体   中英

Rewriting inbound Java server authorization headers prior to authentication

 原文  2011-02-16 23:13:20       java/ flash/ http/ tomcat/ jax-rs

Question

We have a REST API delivered via Apache Tomcat that a Flash web application is intended to communicate with.

Authentication is performed with Basic auth over SSL (although the password inside the basic auth is SHA-2'ed). The issue is that using basic authentication for the Flash client is causing the standard browser log-in box to appear because of "WWW-Authentication: Basic" in the header. Flash is unable to bypass this by manually setting the Authorization header prior to the request.

Other clients need to be able to authenticate via the existing mechanisms, so rewriting the authentication logic would not be ideal.

I have the idea that the authorization headers sent to and received from flash client could be dynamically rewritten to use another name for Basic auth which would cause the browser not to understand the auth mechanism and not present the dialog box. Authentication headers to and from Tomcat could be rewritten from "WWW-Authenticate: Basic" to "WWW-Authenticate: PretendBasic" but ideally the built in container security could still handle the basic auth after the rewrite.

I wrote a filter to rewrite inbound headers as "WWW-Authenticate: PretendBasic" as "WWW-Authenticate: Basic" hoping the next filter chain would be auth and the request would be handled as normal. Unfortunately the Servlet specification states that a filter cannot be inserted prior to authentication. I think the only possibility of this working is to create a stackable JAAS authentication module that would first perform a header rewrite on requests if coming from the Flash client, and then pass authentication through to the existing container managed security systems.

Since I'm unfamiliar with JAAS, I'm hoping the community could shed some light on how to accomplish this, and whether it is a good idea in the first place.

2 answers

solution1
 0  2011-02-17 06:48:02

If your flash application always works with server protected with basic, it can ask for the credentials prior to generating the first request to the web services. So the first request will already include the authentication header and you won't receive 401 in response.

solution2
 0  2011-03-29 12:20:13

I would have thought that enabling authentication via WWW-Authenticate, as an imitation of HTTP Basic, would do the trick.

Where you currently have HTTP Basic authentication working, just add another authenticator which does HTTP Basic but against the WWW-Authenticate header instead of the Authorization header.

You can then include the header in Flash and ignore HTTP Basic in that client.

I've done similar, using 3 different authentication schemes, on Jetty. I'm not sure what the Tomcat way would be.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Authentication and Authorization on web server ? Java Web Authentication and Authorization Java Authentication and Authorization Oauth authorization server with custom authentication manager in Java config Support for Kerberos Authentication/Authorization on JMX Client/Server running on Java 6 How to assign path variables to headers in a java dsl http inbound gateway? Java HttpUrlConnection - 401 with authentication headers Problems with setting Authorization in request headers from Java Spring boot client server authentication and authorization with jwt Certificate Authentication and Authorization with Apache from a Java Application
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM