Take a simple war with the web.xml descriptor given at
the bottom of this message. The SecureServlet simply
displays the value of request.getUserPrincipal() and
the current HttpSession id. This servlet is deployed with
a mapping that requires authentication and one that does not:
/restricted/SecureServlet
/unrestricted/SecureServlet
Using the default Tomcat-4.0.2 setup, if I access the
/restricted/SecureServlet path, and login using FORM auth,
I see a non-null getUserPrincipal displayed. If I then access
the /unrestricted/SecureServlet mapping, I also see the same
non-null getUserPrincipal displayed.
Now, if I change the default server.xml configuration to disable
caching at the FormAuthenticator value using:
<Valve className="org.apache.catalina.authenticator.FormAuthenticator"
debug="3" cache="false"/>
Accessing /restricted/SecureServlet continues to display the non-null
getUserPrincipal, while /unrestricted/SecureServlet now displays null.
The servlet 2.3 spec is not clear that one of these behaviors
is correct while the other is incorrect in regard to whether there
must be a non-null getUserPrincipal value when accessing the
/unrestricted/SecureServlet mapping. Is there a requirement
concerning whether getUserPrincipal should be non-null in the
scope of the FORM authentication session?
<web-app>
<description>A war that can be run standalone</description>
<servlet>
<servlet-name>SecureServlet</servlet-name>
<servlet-class>org.jboss.test.web.servlets.SecureServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SecureServlet</servlet-name>
<url-pattern>/restricted/SecureServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SecureServlet</servlet-name>
<url-pattern>/unrestricted/SecureServlet</url-pattern>
</servlet-mapping>
<!-- ### Security -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted</web-resource-name>
<description>Declarative security tests</description>
<url-pattern>/restricted/*</url-pattern>
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description>Only authenticated users can access secure
content</description>
<role-name>AuthorizedUser</role-name>
</auth-constraint>
<user-data-constraint>
<description>no description</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Principal Tests</realm-name>
<form-login-config>
<form-login-page>/restricted/login.html</form-login-page>
<form-error-page>/restricted/error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>A AuthorizedUser is one with a valid username and
password</description>
<role-name>AuthorizedUser</role-name>
</security-role>
</web-app>
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
