Re: How does Tomcat manage Form-based authentication?
Malcolm Warren wrote: I've tried including the session id, but it creates a new one. It's calling a url in another application in the same engine. Can't session info be shared across applications? No. Session information cannot be shared between contexts (webapps). I've allowed single sign-on in server.xml. I think single sign-on allows you to share container-based authentication between webapps. In other words, if you've authenticated successfully against one webapp, and you've got single sign-on enabled, you're authenticated against other webapps within the same container. I don't want to merge them into one application, because I may put one of them in another virtual machine. Maybe you can persist session info that needs to be shared to a backend database. AFAIK, sessions can't cross contexts per the servlet spec. On Fri, 2 Apr 2004 10:31:59 +0200, Ralph Einfeldt <[EMAIL PROTECTED]> wrote: That information is stored in the session. So your programm has to include the session id that was created by tomcat in the requests (either as cookie or as query parameter) -Original Message- From: Malcolm Warren [mailto:[EMAIL PROTECTED] Sent: Friday, April 02, 2004 10:12 AM To: Tomcat Users List Subject: Re: How does Tomcat manage Form-based authentication? I'm using an old nuts and bolts programme that actually programmatically sent the "Authorization" header string for BASIC authorization, and I'd like to continue using this programme, but I have to tell the new FORM version that I've already signed in, and I don't know how. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Chris Egolf http://www.ugholf.net [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How does Tomcat manage Form-based authentication?
I've tried including the session id, but it creates a new one. It's calling a url in another application in the same engine. Can't session info be shared across applications? I've allowed single sign-on in server.xml. I don't want to merge them into one application, because I may put one of them in another virtual machine. On Fri, 2 Apr 2004 10:31:59 +0200, Ralph Einfeldt <[EMAIL PROTECTED]> wrote: That information is stored in the session. So your programm has to include the session id that was created by tomcat in the requests (either as cookie or as query parameter) -Original Message- From: Malcolm Warren [mailto:[EMAIL PROTECTED] Sent: Friday, April 02, 2004 10:12 AM To: Tomcat Users List Subject: Re: How does Tomcat manage Form-based authentication? I'm using an old nuts and bolts programme that actually programmatically sent the "Authorization" header string for BASIC authorization, and I'd like to continue using this programme, but I have to tell the new FORM version that I've already signed in, and I don't know how. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How does Tomcat manage Form-based authentication?
That information is stored in the session. So your programm has to include the session id that was created by tomcat in the requests (either as cookie or as query parameter) > -Original Message- > From: Malcolm Warren [mailto:[EMAIL PROTECTED] > Sent: Friday, April 02, 2004 10:12 AM > To: Tomcat Users List > Subject: Re: How does Tomcat manage Form-based authentication? > > I'm using an old nuts and bolts programme that actually > programmatically sent the "Authorization" header string > for BASIC authorization, and I'd like to continue using > this programme, but I have to tell the new FORM > version that I've already signed in, and I don't know how. > >
Re: How does Tomcat manage Form-based authentication?
Thank you for your answer. Sorry about the new thread for new topic business - I hadn't understood the thread mechanism. I presume for this topic I'd better continue as we are and I'll get it right next time. I was wondering exactly how the servlet container knows whether the user has already authenticated or not. With BASIC authorization an "Authorization" header is sent and based on that the programmes know whether to re-present the sign in or not. I'm using an old nuts and bolts programme that actually programmatically sent the "Authorization" header string for BASIC authorization, and I'd like to continue using this programme, but I have to tell the new FORM version that I've already signed in, and I don't know how. On Thu, 1 Apr 2004 09:10:18 -0600, QM <[EMAIL PROTECTED]> wrote: On Thu, Apr 01, 2004 at 04:38:49PM +0200, Malcolm Warren wrote: : With BASIC authorization, which I used to use, the browser was sent an : "Authorization" header. : : This doesn't happen with FORM-based authorization. : I believe Tomcat deals with it all, but how? Anybody know? Not sure I understand your question -- with FORM-based auth: - the container detects an attempt to access a protected resource - container sends requestor to designated form page, which posts to the blackbox "j_security_check" - success => user is taken to originally-requested page - failure => user is taken designated "no-go" page Is that the answer to your question? btw, please start new threads for new topics -- replying to an old message plays hell with thread-aware mail readers, even if you change the subject. ;) -QM - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How does Tomcat manage Form-based authentication?
It sends you the html form you specify in the section of web.xml See chapter 12 (Security) Appendix A (Deployment Descriptor) of Servlet Spec 2.3 for details. http://java.sun.com/products/servlet/download.html#specs Martin -Original Message- From: Malcolm Warren [mailto:[EMAIL PROTECTED] Sent: 01 April 2004 15:39 To: Tomcat Users List Subject: How does Tomcat manage Form-based authentication? With BASIC authorization, which I used to use, the browser was sent an "Authorization" header. This doesn't happen with FORM-based authorization. I believe Tomcat deals with it all, but how? Anybody know? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How does Tomcat manage Form-based authentication?
On Thu, Apr 01, 2004 at 04:38:49PM +0200, Malcolm Warren wrote: : With BASIC authorization, which I used to use, the browser was sent an : "Authorization" header. : : This doesn't happen with FORM-based authorization. : I believe Tomcat deals with it all, but how? Anybody know? Not sure I understand your question -- with FORM-based auth: - the container detects an attempt to access a protected resource - container sends requestor to designated form page, which posts to the blackbox "j_security_check" - success => user is taken to originally-requested page - failure => user is taken designated "no-go" page Is that the answer to your question? btw, please start new threads for new topics -- replying to an old message plays hell with thread-aware mail readers, even if you change the subject. ;) -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]