On Mon, 6 Aug 2001, Michael Wentzel wrote:
> > > Advantage: You don't lose existing session data
> > > Disadv : You're not actually re-authenticating
> > (not really authenticating, you lost me)
>
> After looking at some code I figured something out...
> I was thinking about this architecture wrong. Kyle was
> right just using:
>
> session.setAttribute("j_password", sPassword);
>
> will provide a hook for password changes.
>
Note that this kind of thing is ***very*** dependent on the form based
login of one particular version of Tomcat. You cannot count on it working
anywhere else (such as Tomcat 3.2 or Tomcat 4.0).
The general mechanism for dealing with password changes depends on whether
you want the user to reauthenticate or not. If you do, simply invalidate
the session and create a new one -- the next request for a protected
resource will display the login page, in the usual way. Otherwise, just
let the existing session continue to operate.
>
> ---
> Michael Wentzel
> Software Developer
> Software As We Think - http://www.aswethink.com
>
Craig McClanahan
