I do not believe cookies are involved here at all.
Here is the relevent code from the AccessInterceptor used to authenticate.
There is no use of cookies. Uses traditional www-authenticate http headers
to prompt the browser for the login.
res.setStatus( 401 );
res.setHeader( "WWW-Authenticate",
"Basic realm=\"" + realm + "\"");
Nacho wrote:
> I you do not pass the Session cookie received by the authenticated
> request to the applet and uses it as header on his connection, Tomcat
> cannot associate the second Connection (from applet) with the first
> (from brower) so it considers the second connection as a different
> connection and not cosiders it authorized by the first request.., only a
> thought
>
> Saludos ,
> Ignacio J. Ortega
>
> > -----Mensaje original-----
> > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Enviado el: viernes 20 de octubre de 2000 23:20
> > Para: [EMAIL PROTECTED]
> > Asunto: JDBCRealm authenticating twice with applet
> >
> >
> >
> > Win NT platform
> > JDK1.2
> > Tomcat 3.2b6
> > DB2 EE v7.1
> >
> > server.xml:
> > <RequestInterceptor
> > className="org.apache.tomcat.request.JDBCRealm"
> > debug="99"
> > driverName="COM.ibm.db2.jdbc.app.DB2Driver"
> > connectionURL="jdbc:db2:authDb"
> > userTable="users"
> > userNameCol="user_name"
> > userCredCol="user_pass"
> > userRoleTable="user_roles"
> > roleNameCol="role_name"
> > connectionName="userid"
> > connectionPassword="password"/>
> >
> >
> > web.xml:
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>WebApp Home</web-resource-name>
> > <url-pattern>/*</url-pattern>
> > <http-method>DELETE</http-method>
> > <http-method>GET</http-method>
> > <http-method>POST</http-method>
> > <http-method>PUT</http-method>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>appuser</role-name>
> > </auth-constraint>
> > </security-constraint>
> >
> > <login-config>
> > <auth-method>BASIC</auth-method>
> > <realm-name>WebApp Realm</realm-name>
> > </login-config>
> >
> >
> > I have configured everything under the ROOT context to be
> > protected with
> > BASIC authentication. When I request the defeault index.html
> > page under
> > the /ROOT directory, the JDBCRealm RequestInterceptor
> > correctly handles my
> > login. I then select a link from the index page
> > to another html page also located under root which contains
> > an Applet. The
> > applet loads and makes a URLConnection to
> > a servlet which is under the /ROOT/WEB-INF/classes folder. At
> > this point
> > the Interceptor requires another login. But I have already been
> > authenticated
> > in this REALM! Why the second login????
> >
> > The first login window looks like a plain Browser Login
> > window. The second
> > window is however a java login window; generated
> > in the Applets JVM I suppose. Does the URLConnection require
> > explicit http
> > header handling? (In the form of setRequestProperty() )
> >
> > Raimee
> >
> >
