Tim, Thanks for the suggestions - but I'm not sure if I explained in enough detail.
>- Extend JDBCRealm for your functionality. Yes, this might work, but it seems like the function is already there - just not working properly. I was under the impression that JDBCRealm read the database each time it prompted for a logon. >- Make the user close their webbrowser to force a new session We have been having them completely shut down their browser - but the problem still prevails. We can duplicate the problem pretty regularly - but it does not always consistently happen. >- Invalidate the session which should get rid of the cached Principal stuff When the user does a logoff we already do a "session.invalidate()" Any other ideas? Thanks again - Richard -----Original Message----- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Monday, September 29, 2003 5:25 PM To: Tomcat Users List Subject: Re: Tomcat 4.1.24 JDBCRealm is (unfortunately) caching passwords JDBCRealm creates a GenerircPrincipal (a tomcat class) which caches the user information into the user session. So you have 2 workarounds: - Extend JDBCRealm for your functionality. - Make the user close their webbrowser to force a new session - Invalidate the session which should get rid of the cached Principal stuff I think one of the latter 2 should work (I hope) -Tim Richard Mixon (qwest) wrote: > For some reason changes to a user's password take about a half hour to become > effective. I can query the database using the MySQL > command line client and see the changed password. We use SHA encryption/encoding. I > can also turn on a log message in my login > servlet and see that the encoded value that my login servlet puts in j_password > before redirecting to j_security_check also matches > the value in the database. > > Its frustrating to say the least. We could make up a good story of how this is > really a security feature for our customers - but > they'd much rather be able to login quickly after having a password reset. > > We are using container managed authentication with our web application, using the > JDBCReal. We use Tomcat 4.1.24 on Solaris 8 with > j2sdk1.4.1_01. We are using MySQL 4.0.12. > > Turning up the verbosity level for logging does not seem provide a means for showing > what JDBCReal is getting back from the > database. I've also looked in the JDBCReal.java source - but my hosting provider > does not really want me putting a user-built > version of Tomcat on the machine I'm on. > > Thanks in advance for any ideas/suggestions/solutions. > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
