stevearmstrong-dev commented on PR #924:
URL: https://github.com/apache/tomcat/pull/924#issuecomment-3575469148
> Changing the authentication type is not an option. It will break too many
automated tools that use the text based interface.
>
> I also do see any uses of `request.getAuthType()`.
>
> This is starting to feel like interacting with AI. ("You were absolutely
right on all points.", references to sending a 401 that don't exist, references
to `request.getAuthType()` that don't exist).
>
> My sense remains that using `HttpServletRequest.logout()` is the right way
to go but the real work (that has yet to be done) is in investigating how
feasible it is for each of the `Authenticator` implementations in Tomcat to
implement a true logout.
You are correct Mark. I've been using a custom built AI agent for the comms
and some parts of the implementation. Was trying to get more stuff done within
the limited time i have before and after my 9-5. Made some mistakes which i
should've re-reviewed before pushing it over for review. Over time, this agent
that i have been developing would get better, but until then and also after its
development, I'll take care to be more precise. Thanks.
I did research the other options before going ahead with FORM based auth but
couldn't really find a way to get over the limitations. Like the issue with
doing the logout with BASIC auth was that request.logout() was clearing the
server side session but the browser was automatically caching and resending the
BASIC auth credentials with every request so i was being logged in
automatically. I tried to poison the cache and while that logged me out
correctly I couldn't log myself back in because now the poisoned cache will
load the poisoned values instead of the actual username and password. Maybe I
can poison the cache while logging out, trigger a clean cache and then relogin
with the right password and username? I dont know, if thats even possible
without a wait time, but I need to figure that out. Or maybe the solution is
something different alltogether. Again needs discovery on my part.
I agree that if existing tools break by going ahead with FORM based auth
then I will find a solution if possible which doesnt use forms.
Thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
