Good evening.
My question is about HttpSession objects creation and destruction within a Servlet/JSP container. I'm using the JBoss/Tomcat bundle (versions 3.2.3/4.1.29) with a database realm properly configured. Here's how things work so far:
1. User goes to a predefined Welcome File (index.html)
2. Within the welcome file there's a link to a protected resource (wich happens to be the application's "main screen")
3. The user clicks the link and the login page appears.
4. The user enters login/password and logs on successfully or is redirected to an error page.
Up to this point everything works fine, but the thing that I don't understand is that the moment the user clicks the link that points to a protected resource an HttpSession object is created by the server even though the user hasn't been authenticated. This behavior kinda ruin my plans because I have a Session Creation/Destruction Listener that is supposed to detect a session creation event in order to be able to place some things (objects) in that user session, but it seems that the created session for the unauthenticated is "recycled" after authentication and my session lifecycle listener is no longer useful (the session already exists)
I've looked into the Servlet spec but couldn't find anything clarifying enough... I'f anyone has any comments, tips, thoughts on this issue I'd like to hear'em... :^)
Regards,
Carlos...
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
