Its actually in the Intro to J2EE on JBoss training but we don't tend to give those publicly. We're doing an advanced JBoss in August but the security stuff in it is a little heady.
> From: "Richard O. Hammer" <[EMAIL PROTECTED]> > Reply-To: "Research Triangle Java User's Group mailing > list."<[EMAIL PROTECTED]> > Date: Fri, 09 Apr 2004 13:23:35 -0400 > To: "Research Triangle Java User's Group mailing list."<[EMAIL PROTECTED]> > Subject: Re: [Juglist] HttpServletRequest.getRemoteUser() and Http > Authentication > > Thank you, Andy. I didn't find this stuff in my JSP book or the > Servlet 2.3 spec. > > Andrew Oliver wrote: >> Basically, but you missed this: >> >> If you use *form* authentication the password/user isn't cached at the >> browser. If you use *basic* authentication then it is. >> >> Form authentication is built into Tomcat et al. If you use Basic >> authentication (aka the little dialog popping up) then it is stored in the >> browser indefinitely (usually until it is closed). >> >> Workflow of a Form based authentication: >> >> You request a protected page >> You have no session cookie >> Tomcat sends you to the authentication form >> You enter your user and password and click submit >> It posts to j_security_check action >> Tomcat sends you a session cookie >> Tomcat forwards you to the correct page >> You request another protected page while your cookie is valid >> Tomcat sends you to the page skipping the rest >> Your cookie expires or is invalidated, repeat from the top... >> >> Basic Authentication: >> >> Same thing but no form, browser dialog and the BROWSER automatically resends >> the user id and password when asked. Meaning it never asks again until you >> close the browser. >> > > >>>> Richard O. Hammer wrote: >>>> >>>>> Is there some way that I can cancel or timeout an HTTP authentication? >>>>> >>>>> I would like to use HTTP authentication to log into my webapp -- first >>>>> as one user and then as another user -- both from within one running >>>>> instance of a browser window. But what I have discovered so far seems >>>>> to suggest that a browser, once logged into a domain, will always >>>>> continue to send the same authorization header. > > > _______________________________________________ > Juglist mailing list > [EMAIL PROTECTED] > http://trijug.org/mailman/listinfo/juglist_trijug.org _______________________________________________ Juglist mailing list [EMAIL PROTECTED] http://trijug.org/mailman/listinfo/juglist_trijug.org
