At 09:35 3/28/01 -0500, you wrote:
thanks for your reply, but i am not using sessions any way.
either this does not happen when i use simple basic authentication.
it seems that session management is turned on some way, when
i use form based sec.
any hint?
Not sure I understand what you mean by not using sessions? You mean
you never access any instances of HttpSession?
yes, this is what i mean.
Did you do something
like get rid of(from server.xml):
RequestInterceptor
className="org.apache.tomcat.session.StandardSessionInterceptor" /
no, i haven't dared ;-)
To the best of my knowledge Tomcat does session management despite
whatever type of authentication you are using(correct me if I'm wrong
anyone...).
this is the answer i was looking for: by default, sessions are working under the hood.
the basic authorization is likely to be a bit more slack dealing with timeout, since
the client just has to send correct authorization headers.
I believe your servlet would work fine, as long as you
don't get an instance of HttpSession, if you removed the RequestInterceptor
for the Session Manager; but jsp pages will still have a problem.
Of course, this is all to the best of my knowledge...
thanks again for your answer.
btw: servlet specs v2.2 do not describe the authentication scheme used by form based
auth. where can i find a tomcat-based description of it?
simone
Anyone else have comments on this?
---
Michael Wentzel
Software Developer
Software As We Think - http://www.aswethink.com
mailto:[EMAIL PROTECTED]
- Punisher of those who cannot spell dumb!