Form Authentication question
I'm looking at the org.apache.catalina.authenticator.FormAuthenticator class from the 7.0.29 src. This portion of the authenticate method starting around line 301 is where I'm having a little problem: if (log.isDebugEnabled()) { log.debug(Authentication of ' + username + ' was successful); } if (session == null) { session = request.getSessionInternal(false); } if (session == null) { if (containerLog.isDebugEnabled()) { containerLog.debug (User took so long to log on the session expired); } if (landingPage == null) { response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT, sm.getString(authenticator.sessionExpired)); } else { // Make the authenticator think the user originally requested // the landing page String uri = request.getContextPath() + landingPage; SavedRequest saved = new SavedRequest(); saved.setMethod(GET); saved.setRequestURI(uri); request.getSessionInternal(true).setNote( Constants.FORM_REQUEST_NOTE, saved); response.sendRedirect(response.encodeRedirectURL(uri)); } return (false); } If the user sits too long on the login page the session times out, even if their credentials were authenticated successfully, and sends them back to the login page where they must re-enter their credentials. It works this way even if I define a landingPage. Without a landingPage I get the dreaded 408 error. Can anyone enlighten me as to why it's a bad idea if: if (session == null) { session = request.getSessionInternal(false); } is instead: if (session == null) { session = request.getSessionInternal(true); } Thanks, Kris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Authentication question
On 30/07/2012 21:24, Kris Easter wrote: I'm looking at the org.apache.catalina.authenticator.FormAuthenticator class from the 7.0.29 src. This portion of the authenticate method starting around line 301 is where I'm having a little problem: if (log.isDebugEnabled()) { log.debug(Authentication of ' + username + ' was successful); } if (session == null) { session = request.getSessionInternal(false); } if (session == null) { if (containerLog.isDebugEnabled()) { containerLog.debug (User took so long to log on the session expired); } if (landingPage == null) { response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT, sm.getString(authenticator.sessionExpired)); } else { // Make the authenticator think the user originally requested // the landing page String uri = request.getContextPath() + landingPage; SavedRequest saved = new SavedRequest(); saved.setMethod(GET); saved.setRequestURI(uri); request.getSessionInternal(true).setNote( Constants.FORM_REQUEST_NOTE, saved); response.sendRedirect(response.encodeRedirectURL(uri)); } return (false); } If the user sits too long on the login page the session times out, even if their credentials were authenticated successfully, and sends them back to the login page where they must re-enter their credentials. It works this way even if I define a landingPage. Without a landingPage I get the dreaded 408 error. Can anyone enlighten me as to why it's a bad idea if: if (session == null) { session = request.getSessionInternal(false); } is instead: if (session == null) { session = request.getSessionInternal(true); } Because the session defines where to go after the authentication i.e. which page the user requested originally. I suppose we could allow the user to transition to the landing page in that case. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Form Authentication question
On Mon, 2012-07-30 at 14:36 -0600, Mark Thomas wrote: On 30/07/2012 21:24, Kris Easter wrote: ... If the user sits too long on the login page the session times out, even if their credentials were authenticated successfully, and sends them back to the login page where they must re-enter their credentials. It works this way even if I define a landingPage. Without a landingPage I get the dreaded 408 error. Can anyone enlighten me as to why it's a bad idea if: if (session == null) { session = request.getSessionInternal(false); } is instead: if (session == null) { session = request.getSessionInternal(true); } Because the session defines where to go after the authentication i.e. which page the user requested originally. I suppose we could allow the user to transition to the landing page in that case. Mark That would be preferable for my use case. Kris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org