Browser Authentication Dialog Box
Is there a way to use Java to drag and drop browser authentication dialog when 401 message is received from webserver? I want to know when this dialog is displayed and instead of being presented to the user, I fill in the credentials for them.
Application overview:
I wrote a web server, so essentially I want to prevent someone from opening an external browser and inserting the localhost and port in order to access the displayed data. my app has a built-in web browser connected to my writing server. the browser displays the decrypted content, so if I force auth (even for my built-in browser) the external browser needs the credentials. if my built-in browser tries to access files, I provide credentials to the user and display the content
SWT 3.5M6 has a new listener in it calling the AuthenticationListener. It just listens for the authentication event sent from the server and fires. Below is the code that does the behavior I wanted. It waits for authorization and if the host is my application it returns credentials. Of course, fill in USER_NAME, PASSWORD and HOST_NAME with the appropriate variables. Otherwise, the auth browser dialog opens and the user enters credentials. This code can also be found on the Eclipse SWT snippets page:
webBrowser.addAuthenticationListener (new AuthenticationListener ()
{
public void authenticate(AuthenticationEvent event) {
try {
URL url = new URL(event.location);
if (url.getHost().equals(HOST_NAME))
{
event.user = USER_NAME;
event.password = PASSWORD;
}
else
{
/* do nothing, let default prompter run */
}
} catch (MalformedURLException e) {
/* should not happen, let default prompter run */
}
}
});
If you don't need a password, you can create a url to pass the credentials to ex. http: // username: password@www.example.com This will pass an authentication window but show the user the credentials and may also not be what you are looking for.
a source to share
If you want to control what is displayed to the user for authentication, you can change the auth method in the login-config section of the web.xml file from BASIC to FORM.
You can then specify which page should be displayed when authenticating the user and, I suppose, pre-populate the credentials for them ... but doesn't that trump the whole security goal?
Configuring Authentication for Web Applications
Edit after more details:
My only suggestion was to change the auth-method to CLIENT-CERT and require two-way SSL where the client also needs to provide the certificate to the server. If you install the certificate in the built-in browser (and make sure external browsers cannot get the certificate) then you should be fine. And actually that should stop any authentication dialog from being displayed.
a source to share
your question is a little unclear. All basic authentication is based on HTTP headers.
If the browser receives an authorization header, it displays a dialog box. The content from the dialog is then sent back to the server. This is nothing special. This username is base64 encoded password. Take a look
The problem is how you want to intervene. You will need to grab the authorization header and then for the next request you need to change the HTTP header to include the credentials.
hope it helps
a source to share
I think this is mostly browser dependent behavior and what the server tells the browser to do.
For example, Internet Explorer, which is a Microsoft product, directly supports automatic submission of Windows credentials (you can change this behavior in Internet settings) after an anonymous request fails with a 401 error.
Firefox, for example, does not and will always prompt the user, even if it was configured to remember the id and password using a password manager. IE will also ask if automatic login fails (for example, Windows credentials still result in 401 because you are not allowed an ID).
As a web developer, I don't think you have much control over this, beyond setting your server and application to work in the most anticipated and harmonious way ... If you could, it might fall into black hat territory .
a source to share