The BasicAuthenticationPipelineServlet class provides authentication using the Basic HTTP authentication mechanism. A component for this servlet is not included in the standard servlet pipelines, but the class is available for use in servlet pipelines you might create in your own applications.

If a request comes in without an authorization header, this servlet immediately sends back a reply that causes the browser to pop up an authorization window. The user is expected to enter a user name and password. The request is then repeated, this time with an authorization header. The servlet checks that the user name and password in the header are valid. If so, the servlet passes the request to the next servlet in the pipeline. Subsequent requests contain the correct authorization and no longer cause the authorization window to pop up. The request is never passed on if the correct authorization is not received.

Checking the user name and password is performed by a separate component that implements atg.servlet.pipeline.Authenticator. This defines a single method called authenticate, that takes a user name and password and returns true if the combination is valid, false if not. ATG provides an implementation of Authenticator called atg.servlet.pipeline.BasicAuthenticator. This takes a passwords property of type Properties, that maps user IDs to passwords. If a user ID/password combination is found in the passwords property, the authentication is successful. Otherwise, the authentication fails. Other Authenticator implementations are possible, such as implementations that check names and passwords in a database.


The following example shows how to configure an authentication servlet and authenticator:



In this example, the authentication servlet passes a request to SomeHandler only if the request is authenticated with a name and password found in the passwords property of the authenticator component. The realm property specifies what realm is to be shown to the user in the window that asks for name and password.