Home/ Questions/Q 8584061
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T21:40:55+00:00

I’d like to write a servlet filter that processes BASIC authentication headers even if

  • 0

I’d like to write a servlet filter that processes BASIC authentication headers even if the web application is configured using FORM authentication. I see that this is possible somehow because Jenkins managed to do this. (see: http://sorcerer.jenkins-ci.org/ –> jenkins.security.ApiTokenFilter)

I have a simple demo with a simple logging MyAuthFilter, a secured web resource and the following web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<!--<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">-->
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID"
    version="2.5">
    <filter>
        <filter-name>MyAuthFilter</filter-name>
        <filter-class>com.foobar.auth.MyAuthFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>MyAuthFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <servlet>
        <servlet-name>ServletAdaptor</servlet-name>
        <servlet-class>com.sun.jersey.spi.container.servlet.ServletContainer</servlet-class>
        <init-param>
            <param-name>com.sun.jersey.config.property.packages</param-name>
            <param-value>com.ericsson</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>ServletAdaptor</servlet-name>
        <url-pattern>/secure/*</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <security-constraint>
        <display-name>SecurityConstraint</display-name>
        <web-resource-collection>
            <web-resource-name>all</web-resource-name>
            <description>all</description>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>OPTIONS</http-method>
            <http-method>TRACE</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>AuthenticatedUser</role-name>
        </auth-constraint>
    </security-constraint>
<!--    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>foobar</realm-name>
    </login-config>-->
    <login-config>
       <auth-method>FORM</auth-method>
       <realm-name>ossrealm</realm-name>
       <form-login-config>
           <form-login-page>/public/login.jsp</form-login-page>
           <form-error-page>/public/error.html</form-error-page>
       </form-login-config>
   </login-config>
</web-app>

My problem is that MyAuthFilter is never invoked when I request the secured resource, I am redirected to the login page silently. If I disable the security constraing the filter gets called.

What is the point that I miss? How can I achieve that FORM based and BASIC auth gets mixed?

Notes: please do not comment on the aim itself (mixing the methods), it is because my web application incorporates a RESTful service that must be reachable via BASIC auth from scripts (as Jenkins is), but redirecting to the login page is necessary when used from a web browser.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    No way based on my attempts. One can do this by using Spring Security only.

    • 0