[
https://issues.apache.org/jira/browse/GERONIMO-5468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12909118#action_12909118
]
David Jencks commented on GERONIMO-5468:
----------------------------------------
I think that the Request.login method should never cache the authenticated
user. One of the points of jaspic was to give the external authentication
mechanism control over how and when the authenticated user is cached (e.g. for
form login). However there's no way into the jaspic workflow from this login
method.
If a client wants to avoid requesting credentials on each request I think it
needs to put the credentials in a safe place (such as the session) itself and
call the login() method on each request. I don't think the spec is very clear
on this so I will try to get some expert opinions.
> Support authenticate/login/logout methods in the HttpServletRequest interface
> -----------------------------------------------------------------------------
>
> Key: GERONIMO-5468
> URL: https://issues.apache.org/jira/browse/GERONIMO-5468
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Tomcat
> Affects Versions: 3.0-M1, 3.0
> Reporter: Ivan
> Assignee: Han Hong Fang
> Fix For: 3.0
>
> Attachments: GERONIMO-5468-geronimo-2.diff,
> GERONIMO-5468-tomcat-fork.diff, GERONIMO-5468-tomcat-original.diff,
> GERONIMO-5468.patch
>
>
> In Servlet 3.0, authenticate/login/logout methods are added in the
> HttpServletRequest interface, we need to support them in Geronimo's way.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
