Thanks Christopher.
Great explanation.
Finally, my problem was solved by upgrading up to Tomcat 7.0.21
On 7.0.16, my application doesn't work fine with SSL realm ( see
previous emails )
Upgrading to 7.0.21 ( clean install, really ) solved the problem and works fine.
Regards
2011/9/16
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
On 9/17/2011 9:31 AM, André Warnier wrote:
Christopher Schultz wrote: ...
Thanks for all these explanations. And as an aside :
The only way to terminate a BASIC login is to issue another 401
response,
I did not even know that this
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
On 9/20/2011 2:01 PM, Christopher Schultz wrote:
I had to use mod_asis and stick this file (logout) on my disk:
Status: 401 Unauthorized WWW-Authenticate: Basic realm=My Realm
Here is my config if anyone is interested:
Location
Christopher Schultz wrote:
...
Thanks for all these explanations.
And as an aside :
The only way to
terminate a BASIC login is to issue another 401 response,
I did not even know that this worked. Does it really ?
Until now, I thought that the only way to get rid of a BASIC authentication
Hello:
Ive got a web application running on Tomcat 7, with SSL (https) and
realm for authentication/authorization
When I invalidate() a session ( session.invalidate() ) , Tomcat
doesn't know it and thinks that user is still logged in
So, that user can get protected pages. Tomcat should return
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chema,
On 9/16/2011 7:37 AM, Chema wrote:
Ive got a web application running on Tomcat 7, with SSL (https)
and realm for authentication/authorization
Presumably, you are using CLIENT-CERT as your auth-method?
When I invalidate() a session (
Presumably, you are using CLIENT-CERT as your auth-method?
Not , FORM method
When I invalidate() a session ( session.invalidate() ) , Tomcat
doesn't know it and thinks that user is still logged in So, that
user can get protected pages. Tomcat should return him a login
window but doesn't.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chema,
On 9/16/2011 1:25 PM, Chema wrote:
Presumably, you are using CLIENT-CERT as your auth-method?
No, [I am using] FORM method
Hmm. HttpSession.invalidate() *is* the proper way to terminate a
FORM authentication login.
Chris,
Christopher Schultz wrote:
...
Why do you think that HttpSession.invalidate() should act as a log out
mechanism when using CLIENT-CERT authentication?
I guess that where the OP (and I) get a little confused is in the distinction between the
state of having a session and being
Here goes web.xml and servlet.xml
I will note that server.xml contains SingleSignOn because I've got two
applications which share logging
?xml version=1.0 encoding=UTF-8?
web-app
!-- Authentication --
servlet
servlet-nameLoginServlet/servlet-name
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
André,
On 9/16/2011 1:38 PM, André Warnier wrote:
I guess that where the OP (and I) get a little confused is in the
distinction between the state of having a session and being
logged-in, and maybe the sequence in which these things happen.
1)
11 matches
Mail list logo