Thanks for that, Scott! I wonder what it was about 243+40 which made the authentication info available to the bundled web container on subsequent requests - was it a different caching policy?
Cheers Joe Scott M Stark wrote: >This is not a bug. It is legitimate behavior per the servlet specification and >tomcat standalone will exhibit this if you turn off caching in the FormAuthenticator: > > <Valve className="org.apache.catalina.authenticator.FormAuthenticator" > debug="3" cache="false"/> > >The bundled tomcat turns caching off because it conflicts with the stateless >propagation of credentials from servlets to ejbs. Until the servlet spec defines >how authentication information must be propagated in a session any content >that needs to know the authenticated user must be secured or you have to >maintain this yourself in the session. > >xxxxxxxxxxxxxxxxxxxxxxxx >Scott Stark >Chief Technology Officer >JBoss Group, LLC >xxxxxxxxxxxxxxxxxxxxxxxx >----- Original Message ----- >From: "jfc" <[EMAIL PROTECTED]> >To: "jboss user" <[EMAIL PROTECTED]> >Sent: Tuesday, August 27, 2002 7:48 AM >Subject: [JBoss-user] bundled tc4/jetty not remembering previous authentication in >single session > > >> Hi, >> >>JBoss3.0.0+Jetty??? (don't see any reference to Jetty version in >>latest bundle) >> >>I have created a war file to demonstrate a problem(relating to >>authentication - FORM-BASED or BASIC on jboss+jetty bundle) with which >>I have spent a lot of time trying to resolve. >> >>The problem is this: >> >>1. unauthenticated user's request is to a secured resource; >>2. login form / basic form is presented to user; >>3. user logs in successfully i.e. successfully authenticated >>(req.getRemoteUser(userid) reflects this); >>4. same user then requests a non-secured resource and is not >>recognized as being authenticated(request.getRemoteUser(userid) >>returns null). >>5. same user requests the previous (point 3) resource and is taken >>directly to the secured resource (i.e. container recognizes or >>'remembers' the request as having been authenticated.) >> >>I am interested only in persisting this authentication info on the web >>engine at this point - I'll get to the ejb container later. >> >>I have to go back to jboss2.4.3+tc4.0 to get the web container to >>remember a previous authentication (within the same session of course) >>- however, anything above those two combinations and it just doesn't >>remember. I have tried more than one login module implementation >>without it affecting the result (DatabaseServerLoginModule). Also, I >>have tried deploying the war into a standalone tomcat container(4.0.4) >>and the container does remember the previous authentication. >> >>I have attached the 'demo-auth-prob.war' file. just drop it into the >>jboss 3.0.0 deploy directory to deploy it. (If neccessary I can supply >>the source). >> >>Feel free to try the form-based variation by modifying the archived >>web.xml (currently commented out). The war is currently configured to >>utilize the UserRolesLoginModule which I believe will be invoked >>should the jboss-web.xml security realm not be found in your jboss's >>login-config.xml. >> >>Cheers >>Joe >> > > > >------------------------------------------------------- >This sf.net email is sponsored by: Jabber - The world's fastest growing >real-time communications platform! Don't just IM. Build it in! >http://www.jabber.com/osdn/xim >_______________________________________________ >JBoss-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/jboss-user > ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
