David Haraburda wrote:
> Hi Craig,
>
> Thanks for your help on this (and other issues). I am re-working
> security in our web application, and previously a user could go directly
> to a login page, log in, and be taken to their home, so I can't remove
> this functionality. What I did instead was this: I changed my "login"
> page to be a JSP that redirects a user to their home page, and then
> restricted this page. Thus, when a user hits it, if they are not logged
> in they will be sent to the real login page, then login, be redirected
> back to my page which then redirects them to their home. This seems to
> work pretty well.
>
Makes sense.
>
> My other question is this: Sometimes a person will need to login as one
> user, then logout and login as another. Is there anyway for me to
> "logout" or "unauthenticate" a user? Another curiosity stemming from
> this I have is:
>
This depends on what authentication method you use. If it is BASIC or DIGEST, there
is not really a good way to unauthenticate a user, because it is the browser who is
sending the authentication info on every request (until the browser is exited). I
have heard people say they can deal with this by explicitly sending a 401 error (the
"Unauthorized" response), but I've never had any success with it myself.
For form based login, life is simpler -- just invalidate the session. This works for
Tomcat 3.2 and 4.0, and (I believe) for others.
>
> In the Servlet spec (v 2.2, section 11.6) it states that "a servlet
> container is required to track authentication at the container level..."
>
> As I understand it, this means my authorization/authentication
> information will be saved "across contexts" (ie, I can access a
> restricted servlet in a different context wihtout having to login again)
>
> Does Tomcat do this? Where is this information stored, and what is the
> right way to invalidate it as I would need to do for a "logout"
> process? As far as I can tell it looks like it is just saved on the
> Request object (org.apache.tomcat.core.RequestImpl).
>
Tomcat 4.0 does this, if you configure it to do so. There is a commented-out entry in
"server.xml" that looks like this:
<Valve class="org.apache.catalina.authenticator.SingleSignOn"
debug="0"/>
that, if enabled, causes Tomcat to remember a user's authentication info from the
first time they access any protected resource, for all webapps related to a particular
virtual host. This is very useful for a portal site that might have multiple
"applications", each in their own webapp, that all belong to the same set of users --
like the way that Yahoo makes you sign on only once for all of their "My Yahoo" apps.
(Relevant to your previous point, this identity is maintained with a cookie, and the
only current way to "unauthenticate" is to exit the browser.)
>
> I really appreciate all your help.
>
> Thanks once again,
>
> David
>
Craig
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
