RE: Additional invocations to the UserManager
all inline. -Original Message- From: Curt Smith [mailto:[EMAIL PROTECTED]] Sent: Lunes, 03 de Septiembre de 2001 9:31 To: Orion-Interest Subject: RE: Additional invocations to the UserManager I bounced the client, deleted cache/cookies and still saw the auto-login behavior on every request to my UserManager without seeing the login dialogue the 2nd--Nth time. So how could the client be silently supplying the user/pass on every request??? Still looks like the container is calling UserManager with it's cached copy of user/passwd The browser chaches it. Read RFC 1945 (HTTP 1.0), section 11. Here are some quotes: Section 11 The domain over which credentials can be automatically applied by a user agent is determined by the protection space. If a prior request has been authorized, the same credentials may be reused for all other requests within that protection space for a period of time determined by the authentication scheme, parameters, and/or user preference. Unless otherwise defined by the authentication scheme, a single protection space cannot extend outside the scope of its server. /Section 11 So, with BASIC Auth, regardless if the server challenges the user _everytime_ for its username and password, given a realm, the browser sends its authentication. This goes back to the time where the was no session support on web servers(it was 4 or 5 years ago, not THAT long). Instead of asking the user for its username and password everytime, the browser caches a successful user/passwd pair and resends them (provided the challenge comes from the same 'realm'). This is 'legacy' behavior of the browser. And the spec accepts it. I could have run my client through a logging proxy to tattle-tail whether the container was issuing an HTTP challenge on every get/post or not?? Of course, check for WWW-Authenticate; if the server challenges every time, then it should be a part of the response. This is, however, unlikely-- orion must be reading the headers, and reauthenticating the user every time, regardless of challenges. Given that I bounced my client and deleted cookies/cache I'm still mystified about HTTP challenge issues??? Regardless I've moved on to FORM authentication and folks on this list find value in the current HTTP challenge behavior for their development cycle not pestering them for re-login :-/ Yap, and that's the main use I given to BASIC, it speeds up the devel cycle, no matter how many times you restart the server. curt Nope. This is browser, not orion behavior. It complies to the HTTP specs. I saw this too and went to FORM authentication and don't see this anymore. I still use UserManager to receive the user/passwd from the FORM via the Container, but I don't see the UserManager calls on every request. Based on this, I feel it's a bug in orion that BASIC behaves this way. curt
RE: Additional invocations to the UserManager
I bounced the client, deleted cache/cookies and still saw the auto-login behavior on every request to my UserManager without seeing the login dialogue the 2nd--Nth time. So how could the client be silently supplying the user/pass on every request??? Still looks like the container is calling UserManager with it's cached copy of user/passwd I could have run my client through a logging proxy to tattle-tail whether the container was issuing an HTTP challenge on every get/post or not?? Given that I bounced my client and deleted cookies/cache I'm still mystified about HTTP challenge issues??? Regardless I've moved on to FORM authentication and folks on this list find value in the current HTTP challenge behavior for their development cycle not pestering them for re-login :-/ curt Nope. This is browser, not orion behavior. It complies to the HTTP specs. I saw this too and went to FORM authentication and don't see this anymore. I still use UserManager to receive the user/passwd from the FORM via the Container, but I don't see the UserManager calls on every request. Based on this, I feel it's a bug in orion that BASIC behaves this way. curt
RE: Additional invocations to the UserManager
I saw this too and went to FORM authentication and don't see this anymore. I still use UserManager to receive the user/passwd from the FORM via the Container, but I don't see the UserManager calls on every request. Based on this, I feel it's a bug in orion that BASIC behaves this way. curt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Trujillo, Kris Sent: Friday, August 31, 2001 6:11 PM To: Orion-Interest Subject: Additional invocations to the UserManager I have written a custom UserManager and have setup security-constraints against several JSPs in my application...everything works great..almost. I'm noticing that after the user has successfully been authenticated that my UserManager is being recalled for every page request made by the user. The difference being that the user is not reprompted to enter a username and password. The problem with this is that it causes a lot of additional overhead because the user is reauthenticated and has the group checking revalidated for every request. Is it possible to setup Orion so it won't behave this way? It seems like once the user has been authenticated once that they should not be reauthenticated until their session has expired. Thanks
RE: Additional invocations to the UserManager
Nope. This is browser, not orion behavior. It complies to the HTTP specs. -Original Message- From: Curt Smith [mailto:[EMAIL PROTECTED]] Sent: Sábado, 01 de Septiembre de 2001 10:43 To: Orion-Interest Subject: RE: Additional invocations to the UserManager I saw this too and went to FORM authentication and don't see this anymore. I still use UserManager to receive the user/passwd from the FORM via the Container, but I don't see the UserManager calls on every request. Based on this, I feel it's a bug in orion that BASIC behaves this way. curt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Trujillo, Kris Sent: Friday, August 31, 2001 6:11 PM To: Orion-Interest Subject: Additional invocations to the UserManager I have written a custom UserManager and have setup security-constraints against several JSPs in my application...everything works great..almost. I'm noticing that after the user has successfully been authenticated that my UserManager is being recalled for every page request made by the user. The difference being that the user is not reprompted to enter a username and password. The problem with this is that it causes a lot of additional overhead because the user is reauthenticated and has the group checking revalidated for every request. Is it possible to setup Orion so it won't behave this way? It seems like once the user has been authenticated once that they should not be reauthenticated until their session has expired. Thanks
RE: Additional invocations to the UserManager
sound a lot like BASIC authentication. If so, then Orion's behavior is as defined by the spec, and presents the same behavior than IIS, Apache and Netscape Enterprise -Original Message- From: Trujillo, Kris [mailto:[EMAIL PROTECTED]] Sent: Viernes, 31 de Agosto de 2001 18:11 To: Orion-Interest Subject: Additional invocations to the UserManager I have written a custom UserManager and have setup security-constraints against several JSPs in my application...everything works great..almost. I'm noticing that after the user has successfully been authenticated that my UserManager is being recalled for every page request made by the user. The difference being that the user is not reprompted to enter a username and password. The problem with this is that it causes a lot of additional overhead because the user is reauthenticated and has the group checking revalidated for every request. Is it possible to setup Orion so it won't behave this way? It seems like once the user has been authenticated once that they should not be reauthenticated until their session has expired. Thanks
