Form Authentication question
I'm looking at the org.apache.catalina.authenticator.FormAuthenticator
class from the 7.0.29 src. This portion of the authenticate method
starting around line 301 is where I'm having a little problem:
if (log.isDebugEnabled()) {
log.debug(Authentication of ' + username + ' was successful);
}
if (session == null) {
session = request.getSessionInternal(false);
}
if (session == null) {
if (containerLog.isDebugEnabled()) {
containerLog.debug
(User took so long to log on the session expired);
}
if (landingPage == null) {
response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
sm.getString(authenticator.sessionExpired));
} else {
// Make the authenticator think the user originally requested
// the landing page
String uri = request.getContextPath() + landingPage;
SavedRequest saved = new SavedRequest();
saved.setMethod(GET);
saved.setRequestURI(uri);
request.getSessionInternal(true).setNote(
Constants.FORM_REQUEST_NOTE, saved);
response.sendRedirect(response.encodeRedirectURL(uri));
}
return (false);
}
If the user sits too long on the login page the session times out, even
if their credentials were authenticated successfully, and sends them
back to the login page where they must re-enter their credentials. It
works this way even if I define a landingPage. Without a landingPage I
get the dreaded 408 error.
Can anyone enlighten me as to why it's a bad idea if:
if (session == null) {
session = request.getSessionInternal(false);
}
is instead:
if (session == null) {
session = request.getSessionInternal(true);
}
Thanks,
Kris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Authentication question
On 30/07/2012 21:24, Kris Easter wrote:
I'm looking at the org.apache.catalina.authenticator.FormAuthenticator
class from the 7.0.29 src. This portion of the authenticate method
starting around line 301 is where I'm having a little problem:
if (log.isDebugEnabled()) {
log.debug(Authentication of ' + username + ' was successful);
}
if (session == null) {
session = request.getSessionInternal(false);
}
if (session == null) {
if (containerLog.isDebugEnabled()) {
containerLog.debug
(User took so long to log on the session expired);
}
if (landingPage == null) {
response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
sm.getString(authenticator.sessionExpired));
} else {
// Make the authenticator think the user originally requested
// the landing page
String uri = request.getContextPath() + landingPage;
SavedRequest saved = new SavedRequest();
saved.setMethod(GET);
saved.setRequestURI(uri);
request.getSessionInternal(true).setNote(
Constants.FORM_REQUEST_NOTE, saved);
response.sendRedirect(response.encodeRedirectURL(uri));
}
return (false);
}
If the user sits too long on the login page the session times out, even
if their credentials were authenticated successfully, and sends them
back to the login page where they must re-enter their credentials. It
works this way even if I define a landingPage. Without a landingPage I
get the dreaded 408 error.
Can anyone enlighten me as to why it's a bad idea if:
if (session == null) {
session = request.getSessionInternal(false);
}
is instead:
if (session == null) {
session = request.getSessionInternal(true);
}
Because the session defines where to go after the authentication i.e.
which page the user requested originally. I suppose we could allow the
user to transition to the landing page in that case.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Authentication question
On Mon, 2012-07-30 at 14:36 -0600, Mark Thomas wrote:
On 30/07/2012 21:24, Kris Easter wrote:
...
If the user sits too long on the login page the session times out, even
if their credentials were authenticated successfully, and sends them
back to the login page where they must re-enter their credentials. It
works this way even if I define a landingPage. Without a landingPage I
get the dreaded 408 error.
Can anyone enlighten me as to why it's a bad idea if:
if (session == null) {
session = request.getSessionInternal(false);
}
is instead:
if (session == null) {
session = request.getSessionInternal(true);
}
Because the session defines where to go after the authentication i.e.
which page the user requested originally. I suppose we could allow the
user to transition to the landing page in that case.
Mark
That would be preferable for my use case.
Kris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
