Fog Creek Software
Discussion Board




A way to bypass the user/password dialog in IE?

In order to "integrate" an existing application into a new one, I'm thinking I could display the old one inside an iFrame in the new application's page. My only problem is that the existing application uses HTTP Basic Authentication (you know, the kind that opens a user/password dialog). That is, i need to do single sign-on to the old app.

I've done several tests building an "authentication proxy" in Java but I was wondering if any of you guys know of a way to bypass the browser's login dialog by programatically sending it the user's credentials.

I guess an ActiveX could do the trick (I have to worry only about IE). Would it be too hard to write?

Dario Vasconcelos
Saturday, May 17, 2003

Do you mean specifying the URL like:

http://user:pass@site.com

?

Chris Blaise
Sunday, May 18, 2003

maybe I am missing the point, but why not just remove the HTTP authentication.

On apache, it is normally just a question of deleting one or two files (.htaccess and .htpassword). Remove that, and replace with whatever authenticatin you use in the 'parent' app.

tapiwa
Sunday, May 18, 2003

What autentication mechanism does your "outer" application use?

Just me (Sir to you)
Monday, May 19, 2003

Oh my. To my total embarrassment, the "http://user:password@site.com" works!! I had completely forgotten about that URL format.

It still doesn't do the full trick. The thing is this: I'm trying to configure a portal (developed by one very large ERP vendor) to do single sign-on to applications built in FileMaker. These apps are already coded and can't use a different login method than Basic Authentication. It doesn't support form-based or certificates. If I disable the authentication, FileMaker won't be able to track user statistics, which apparently are very important.

SAP's portal (oops, I gave out the name of the vendor :-) can't handle Basic Authentication natively, and can only access sites using the common "http://site.com" format. Since every user in the portal will want to access the FileMaker apps, the portal needs to build a dynamic URL for each one, but it won't handle "http://user:password@site.com" formats. It can only do something like "http://site.com?par1=a&par2=b".

During my investigation, I found out there's something called Browser Helper Objects (BHO) that could do the trick. But that is now discarded ( I gave the ActiveX idea a second thought and it is not desirable by any means).

Thanks, anyway!

Dario Vasconcelos
Monday, May 19, 2003

Can you create an intermediate page or site somewhere that takes the output URL from the portal and re-directs to a dynamically constructed URL in the required format? That is, have a page called by the portal (in the form site.com/page.asp?user=a&pass=b) that reads the query string parameters and does an immediate redirect to a new URL (in the form user:pass@site.com) constructed using the input query parameters. This page could be an ASP page, or CGI, or Perl, etc, etc.

Philip Dickerson
Monday, May 19, 2003

Dario,

are you sure about the SAP info?

"mySAP Workplace supports standard authentication with user name and password. The SAP Pluggable Authentication Service also supports the use of all external authentication technologies. For companies with more extensive security requirements, SAP recommends certificate-based authentication with Secure Sockets Layer (SSL), a scaleable procedure that can be used for both internal and external access. "
http://www.sapinfo.net/index.php4?ACTION=noframe&url=http://www.sapinfo.net/public/en/print.php4/article/comvArticle-193333c63b68097fcf/en

Just me (Sir to you)
Tuesday, May 20, 2003

Philip:
that's exactly what I did! I morphed my proxy into a very simple JSP that receives three parameters: the URL, user and password, builds the user:pwd@site string and does the redirection.

Sir:
According to the local SAP portal expert (here in Mexico sometimes the representatives from american companies aren't very knowledgeable), their portal allows only three authentication methods:
* form-based authentication
* certificates (with SSL)
* SAP ticket (he has yet to explain what that means)

From what I read in the article you linked, he's missing something, surely. I guess he won't complain about the redirection solution...

Dario Vasconcelos
Tuesday, May 20, 2003

BTW, thanks to all for your very valuable comments. This is one great forum...

Dario Vasconcelos
Tuesday, May 20, 2003

*  Recent Topics

*  Fog Creek Home