Hi,
I'm a relative tomcat newbie but have discovered what looks to me like a
bug in the simple tomcat-user.xml authentication interceptor.
In a nutshell:
In tomcat-users.xml I have 2 users, in 2 different roles, let's say:
"john" has role "manager"
"jane" has role "clerk"
They auth fine, my servlet is protected using this scheme, everything is
beautiful.
However, when a (real life) user exits their browser (to clear auth
credentials) and opens a browser again on the same PC and goes to my site
and logs in as a different tomcat user, the user Principal remains the
same as the previous request, but the role changes!
Step by step:
1) User logs in as "jane". Servlet prints "user = jane, role=clerk"
2) User closes and re-opens browser window.
3) User logs in again, this time as "john". Servlet prints "user = jane,
role = manager".
So, basically getUserPrincipal is not changing, for some WEIRD reason.
Role changes ok, so auth is happening, but it's like the auth interceptor
is caching principals by IP or something.
AFAIK this is not a problem with the browser (IE5) because I have
rebooted in between logins and the problem still occurs. In addition,
keeping a second auth attempt (that shows incorrect user principal) open
in the browser and restarting tomcat and then pressing REFRESH on the
browser sends the CORRECT principal to my servlet � so it looks like the
browser is sending the right credentials.
Am I being silly, or is this a boo-boo?
Cheers
