Re: Form Based Authentication creates user session before it is authenticated?
No, you'd have to write your own authentication mechanism. Tomcat is required to store the request that triggered authentication for re-play after a successful authentication. If not the request, where else should it be stored? Christopher, thanks for the reply. This is inline with my analysis. Actually, I am trying to address 'Session Fixation' issue in my web application. I saw your reply on thread http://www.nabble.com/How-to-avoid-session-fixation--td15311806.html. In one of the reply you gave following suggestion to address the issue: - a custom valve contains the whole implementation - requests to the servlet/URI j_security_check are intercepted - for intercepted requests the current session is destroyed and a new one is created: -- snip -- ... request.getSession().invalidate(); request.getSession(true); ... -- snap -- - to have a proper redirect to the originally requested page the original request has to be copied from the old session to the new one. I filter out any references to the old session id, although I'm not sure whether this is really necessary. I think, this would solve my problem. The only blocker for me is step: requests to the servlet/URI j_security_check are intercepted. I did not get good info on google which would teach me how I can do this. Pointers on this would be of great help. Thanks, Umesh P.S: BTW, is Tomcat planning to resolve this vulnerability in near future? -- View this message in context: http://www.nabble.com/Form-Based-Authentication-creates-user-session-before-it-is-authenticated--tp23455945p23515249.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Based Authentication creates user session before it is authenticated?
Christopher, I got the solution. Thanks. Umesh -- View this message in context: http://www.nabble.com/Form-Based-Authentication-creates-user-session-before-it-is-authenticated--tp23455945p23515281.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Form Based Authentication creates user session before it is authenticated?
Hello, In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing an URL of protected page, it is redirected to login page. However, while doing so it creates a session. I do not want my web application to create a session until user logs into the system. I tried to figure out how form authenticator is working. I got source code of FormAuthenticator at: http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm While processing first request, tomcat calls FormAuthenticator.authenticate() method which is calling getSession method which creates a session. Is there any way to avoid this and tell tomcat to not create session. Inputs on this will be of great help. Thanks in advance. - Umesh -- View this message in context: http://www.nabble.com/Form-Based-Authentication-creates-user-session-before-it-is-authenticated--tp23455945p23455945.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org