Re: Loosing identify when switching to non-protected webresource

2002-05-07 Thread jfc100 

Hi,

I am experiencing the exact same problem. Here is my post to the struts list:

Hi,


Has anyone encountered the following situation using form-based auth in catalina?


1. login successfully using 'j_security_check';

2. the next request happens to be to an unsecured url (e.g. /do/frontpage
(with no restrictions in web.xml) -- DispatchServlet -- user.frontpage
(tiles)) ; 
3. the request methods 'getUserPrincipal()', 'isUserInRole()'
and 'getRemoteUser()' tell me the user is not logged in (in DispatchServlet)! 


 (I'm using jboss244+tomcat401, struts1.0, tiles)


I heard this might be an issue with jboss.


Can anyone confirm?


Joe


I don't know how JBoss behaves, but this is exactly
how WebSphere behaves.

  -TP


I have found the same using jb241a+tc323 as well as jb300RC2+tc403.

I started looking at the tomcat code but I'm not sure I want to commit the time it may 
take to understand the intricacies when someone 
else may well have an answer.

I'd like to know whether this is worth pursuing or if perhaps it is better to 
sacrifice the declarative model for a role-your-own approach.

Joe

From: Erwin Teseling 
Subject:  Loosing identify when switching to non-protected webresource
Date:  Thu, 21 Feb 2002 15:57:12 +0100

I am using the combination of Tomcat/Jboss and am having problems
when
using webcontainer security (using j_security_check).

I have some resource protected in my web.xml (using security-
contraint
tag). Now when I try to acces this resource Tomcat presents me my
loginform and validates my identify. If this is correct I will gain
access to the secured resource. So far so good.

Now I have a custom tag that verifies the role in which I am to
display
some pages differently. My tag nicely detects the users identity
(using
getUserPrincipal() method). Now when I go to a non-secured jsp-page,
my
tag returns null on getUserPrincipal?!?! When I switch to a secured
jsp-page it does work and I receive the correct identity. I have the
same behaviour in servlets.

I was not expecting this behaviour and I really need to be able to
determine the identity on these non-secured resources (both servlets
and
jsp). It there a setting that makes Tomcat behave in this way and is
there a way to change this behaviour.

Thanks,
Erwin



--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

Loosing identify when switching to non-protected webresource

2002-02-21 Thread Erwin Teseling 

I am using the combination of Tomcat/Jboss and am having problems when 
using webcontainer security (using j_security_check).

I have some resource protected in my web.xml (using security-contraint 
tag). Now when I try to acces this resource Tomcat presents me my 
loginform and validates my identify. If this is correct I will gain 
access to the secured resource. So far so good.

Now I have a custom tag that verifies the role in which I am to display 
some pages differently. My tag nicely detects the users identity (using 
getUserPrincipal() method). Now when I go to a non-secured jsp-page, my 
tag returns null on getUserPrincipal?!?! When I switch to a secured 
jsp-page it does work and I receive the correct identity. I have the 
same behaviour in servlets.

I was not expecting this behaviour and I really need to be able to 
determine the identity on these non-secured resources (both servlets and 
jsp). It there a setting that makes Tomcat behave in this way and is 
there a way to change this behaviour.

Thanks,
Erwin



--
To unsubscribe:   mailto:[EMAIL PROTECTED]
For additional commands: mailto:[EMAIL PROTECTED]
Troubles with the list: mailto:[EMAIL PROTECTED]