[
https://issues.apache.org/jira/browse/GERONIMO-5468?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12910905#action_12910905
]
David Jencks commented on GERONIMO-5468:
----------------------------------------
I had a very informative note from Ron Monzilla. Based on this I think we
should do the following, for both jetty and tomcat:
1. Have a geronimo managed way of storing credentials in the session. A jaspic
auth context can supply such credentials in the MessageInfo map using a
geronimo specific key. Build in auth methods can use the same technique.
2. The login method can use the PasswordValidationCallback for a jaspic auth
context. We'll need some kind of configuration flag to determine if the result
should be stored in the session as in (1)
3. The logout method will always remove the cached credentials from the session
if present. For a jaspic context it will call cleanSubject (which is not
currently called).
Jaspic auth module providers can use their own way of caching info independent
of the HttpSession. Presumably they can use the cleanSubject method to remove
this info.
> Support authenticate/login/logout methods in the HttpServletRequest interface
> -----------------------------------------------------------------------------
>
> Key: GERONIMO-5468
> URL: https://issues.apache.org/jira/browse/GERONIMO-5468
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Tomcat
> Affects Versions: 3.0-M1, 3.0
> Reporter: Ivan
> Assignee: Han Hong Fang
> Fix For: 3.0
>
> Attachments: GERONIMO-5468-geronimo-2.diff,
> GERONIMO-5468-tomcat-fork.diff, GERONIMO-5468-tomcat-original.diff,
> GERONIMO-5468.patch
>
>
> In Servlet 3.0, authenticate/login/logout methods are added in the
> HttpServletRequest interface, we need to support them in Geronimo's way.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
