I was pointed to a paragraph in the Servlet 2.3 specification that seems wrong to me. Section SRV.12.6 says the following:
"Therefore, a servlet container is required to track authentication information at the container level (rather than at the web application level). This allows users authenticated for one web application to access other resources managed by the container permitted to the same security identity." Before that, it says a "desire" is to "Require re-authentication of users only when a security policy domain boundary has been crossed." This could be easily interpreted to mean that if a container was hosting two separate applications, where one "web.xml" specified that a particular named role could access the protected region, and the other "web.xml" used the same role name for its protected region, that the user could go through the container-managed authentication process in the first application, and then they could directly access pages of the second application without requiring a login. Is this an incorrect interpretation? If so, could someone explain exactly what this paragraph is supposed to mean, both theoretically and in practice? ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
