Jim,
This has been discussed on JSR154, trying to get this behaviour better described
in the the 2.4 servlet spec. Unfortunately we did not resolve anything
other than agreeing that the behaviour for resources without authentication
constraints is undefined.
My angle on this is that:
a) Caching authentication is bad. You can't assume that authentication
from a previous request is still valid, as realms may be managed
dynamically, credit may expire etc. etc.
b) Checking authentication may be expensive as it may be remote and
involved complicated algorithms - even challenge response.
c) A secured page may include many resources, such as images that
do not need to be secured.
So Jetty takes the approach that we only check authentication for
the resources that have an authentication constraint. And thus
the authenticated username is only available for authenticated
resources.
Jetty could be more flexible/configurable on this - but to my
mind security is not something to get wrong. Thus I think we
will stick with this approach until the spec suggests a better
way forward.
But there is nothing stopping you taking the username from
an authenticated request and putting it in the session yourself
for use by unauthenticated requests.
regards
jfc wrote:
> Hi Greg,
>
> Any thoughts on that problem I emailed you about? This was the
> demo-auth-prob.war attachment I emailed on Monday this week. I cc'ed
> Jules as requested.
>
> Below is the jetty forum message. I have subsequently received some
> input from Scott Stark and Craig McClanahan and have the links below
> (after the message). I am happy that this is not a bug but I am still
> interested in how jetty implements the relevent portion of the spec.
> i.e. if jetty provides some way to manually store/cache the auth info
> for subsequent authenticated requests and whther you have any
> suggestions for implementing a solution on the jetty+jboss bundle - I
> would be upgrading to jboss3 as you pointed out the fact that jetty's
> security is better integrated into the latest version of jboss.
>
>>> *From:* "jakespigl3" < [EMAIL PROTECTED]
>>>
><http://groups.yahoo.com/group/jetty-support/post?protectID=045044219153050213015171031024021239000150066136226225152006048067>
>
>>> >
>>> *Date:* Sat Aug 24, 2002 7:09 pm
>>> *Subject:* web container not remembering previous authentication in
>>> single session
>>>
>>> Hi,
>>
>>
>>> JBoss3.0.0+Jetty??? (don't see any reference to Jetty version in
>>> latest bundle)
>>>
>>> I have created a war file to demonstrate a problem(relating to
>>> authentication - FORM-BASED or BASIC on jboss+jetty bundle) with which
>>> I have spent a lot of time trying to resolve.
>>>
>>> The problem is this:
>>>
>>> 1. unauthenticated user's request is to a secured resource;
>>> 2. login form / basic form is presented to user;
>>> 3. user logs in successfully i.e. successfully authenticated
>>> (req.getRemoteUser(userid) reflects this);
>>> 4. same user then requests a non-secured resource and is not
>>> recognized as being authenticated(request.getRemoteUser(userid)
>>> returns null).
>>> 5. same user requests the previous (point 3) resource and is taken
>>> directly to the secured resource (i.e. container recognizes or
>>> 'remembers' the request as having been authenticated.)
>>>
>>> I am interested only in persisting this authentication info on the web
>>> engine at this point - I'll get to the ejb container later.
>>>
>>> I have to go back to jboss2.4.3+tc4.0 to get the web container to
>>> remember a previous authentication (within the same session of course)
>>> - however, anything above those two combinations and it just doesn't
>>> remember. I have tried more than one login module implementation
>>> without it affecting the result (DatabaseServerLoginModule). Also, I
>>> have tried deploying the war into a standalone tomcat container(4.0.4)
>>> and the container does remember the previous authentication.
>>>
>>> I have attached the 'demo-auth-prob.war' file. just drop it into the
>>> jboss 3.0.0 deploy directory to deploy it. (If neccessary I can supply
>>> the source).
>>>
>>> Feel free to try the form-based variation by modifying the archived
>>> web.xml (currently commented out). The war is currently configured to
>>> utilize the UserRolesLoginModule which I believe will be invoked
>>> should the jboss-web.xml security realm not be found in your jboss's
>>> login-config.xml.
>>>
>>> Cheers
>>> Jim
>>> (how do I attach the file??)
>>
>>
>
> The forum links:
>
> jboss-user:
>
>http://www.geocrawler.com/mail/thread.php3?subject=%5BJBoss-user%5D+bundled+tc4%2Fjetty+not+remembering+previous+authentication+in+single+session&list=10767
>
>
>
> tomcat-user:
> http://www.mail-archive.com/tomcat-user%40jakarta.apache.org/msg64159.html
>
> Thanks
> jim
--
Greg Wilkins<[EMAIL PROTECTED]> Phone/fax: +44 7092063462
Mort Bay Consulting Australia and UK. http://www.mortbay.com
-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
