>Tomcat 4.0 caches the authenticated principal in the current session (if
there
>is one) -- otherwise, it authenticates on every request. I don't believe
that
>this feature got back-ported to 3.2.
I tested it does not cache it in 3.2
>>
>> Is user principal container wide or context wide?
>>
>For 3.2, it's container-wide. For 4.0, it depends on where you define the
><Realm> element -- you can make it webapp-wide, virtual-host-wide, or
>container-wide.
May be I should rephrase my question - when user authenticated first time
the fact of authentication and user's name/password/roles are the same
across all contexts, does authentication for one context mean authentication
for all or each context should authenticate separately?
Reason why I am asking is that I could not find any context specific code in
SimpleRealm/JDBCRealm and there is only one tomcat-users.xml file which is
container wide
-----Original Message-----
From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 24, 2001 6:10 PM
To: [EMAIL PROTECTED]
Subject: Re: RequestInterceptor authenticate and authorize. Need advise
"Roytman, Alex" wrote:
> Hello,
>
> As I understand, RequestInterceptor.authenticate() and authorize() get
> called every time a protected resource is being accessed. Does it mean
> tomcat do not cache user/roles after first authentication?
>
Tomcat 4.0 caches the authenticated principal in the current session (if
there
is one) -- otherwise, it authenticates on every request. I don't believe
that
this feature got back-ported to 3.2.
>
> Should I perform actual authentication every time (which is awfully
resource
> consuming) or could I assume that if (request.getRemoteUser() != null)
user
> has been authenticated.
>
> something like this:
> if (request.getRemoteUser() == null) {
> //perform authentication
> }
>
> the same question with authorize. What is the best way to handle it. Can I
> cache roles using request.getRemoteUser() as a key?
>
You want to do something like this, in case some previous interceptor (or
the
Apache connector) did the authentication -- but if you're running Tomcat
standalone, for example, you'll find that getRemoteUser() is never going to
be
set (unless 3.2 really does cache and I've just got amnesia about it :-),
because your interceptor is the only place it will ever get set.
>
> Is user principal container wide or context wide?
>
For 3.2, it's container-wide. For 4.0, it depends on where you define the
<Realm> element -- you can make it webapp-wide, virtual-host-wide, or
container-wide.
>
> Thank you very much in advance
>
> Alex Roytman
>
Craig McClanahan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
