Topic
2 replies Latest Post - ‏2013-01-25T00:16:27Z by Jacek_Laskowski
Jacek_Laskowski
Jacek_Laskowski
81 Posts
ACCEPTED ANSWER

Pinned topic HttpServletRequest#getAuthType gives BASIC after HttpServletRequest#login?

‏2013-01-17T09:51:14Z |
Hi,

Just come across a few new security-centered methods in javax.servlet.http.HttpServletRequest - login, logout and authenticate.

I noticed that in WAS 8.5.0.1 with security turned on and a successful call to HttpServletRequest#login with the WebSphere admin credentials, HttpServletRequest#getAuthType returns BASIC. Why? Why is it not FORM_AUTH? I can't find an explanation of it in the Java Servlet 3.0 specification. I haven't checked it out in other application servers, and wonder how consistent and reliable it is.

A sample servlet is described on my Polish blog in Zmiany w Java EE 6 w javax.servlet.http.HttpServletRequest - metody login oraz logout, so the content might not be of much help to many, but the sample code and a browser's screenshot should.

Any help appreciated.

Jacek
Japila :: verba docent, exempla trahunt
Updated on 2013-01-25T00:16:27Z at 2013-01-25T00:16:27Z by Jacek_Laskowski
  • gas
    gas
    857 Posts
    ACCEPTED ANSWER

    Re: HttpServletRequest#getAuthType gives BASIC after HttpServletRequest#login?

    ‏2013-01-18T16:25:36Z  in response to Jacek_Laskowski
    Hi,

    The default authentication mechanism is BASIC, if you dont provide any <login-config> in the deployment descriptor.
    If you create DD and add the following:
    <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>test</realm-name>
    <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/login.jsp</form-error-page>
    </form-login-config>
    </login-config>

    subsequent calls to servlet will report:
    AuthType: FORM

    BTW.
    There is no FORM_AUTH :-)), only BASIC, FORM, CLIENT_CERT and DIGEST (rarely supported)