"Roytman, Alex" wrote:
> Hello,
>
> As I understand, RequestInterceptor.authenticate() and authorize() get
> called every time a protected resource is being accessed. Does it mean
> tomcat do not cache user/roles after first authentication?
>
Tomcat 4.0 caches the authenticated principal in the current session (if there
is one) -- otherwise, it authenticates on every request. I don't believe that
this feature got back-ported to 3.2.
>
> Should I perform actual authentication every time (which is awfully resource
> consuming) or could I assume that if (request.getRemoteUser() != null) user
> has been authenticated.
>
> something like this:
> if (request.getRemoteUser() == null) {
> //perform authentication
> }
>
> the same question with authorize. What is the best way to handle it. Can I
> cache roles using request.getRemoteUser() as a key?
>
You want to do something like this, in case some previous interceptor (or the
Apache connector) did the authentication -- but if you're running Tomcat
standalone, for example, you'll find that getRemoteUser() is never going to be
set (unless 3.2 really does cache and I've just got amnesia about it :-),
because your interceptor is the only place it will ever get set.
>
> Is user principal container wide or context wide?
>
For 3.2, it's container-wide. For 4.0, it depends on where you define the
<Realm> element -- you can make it webapp-wide, virtual-host-wide, or
container-wide.
>
> Thank you very much in advance
>
> Alex Roytman
>
Craig McClanahan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
