Chris, sessions are there by default, you can only avoid them by specifying in your <%@ page session="false"> directive to disable them. Sessions are in use once you declare a <jsp:usebean id="something" scope"session"> with session as scope.
Cheers, Mika :wq ----- Original Message ----- From: "Bongiorno, Christian" <[EMAIL PROTECTED]> To: "'Tomcat Users List'" <[EMAIL PROTECTED]> Sent: Wednesday, November 14, 2001 12:06 AM Subject: RE: Principal caching with authentication > How would I know if I was or wasn't using sessions? Maybe I don't understand > the use of the term correctly. What is the default? I can check the config > > -----Original Message----- > From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, November 13, 2001 5:48 PM > To: Tomcat Users List > Subject: Re: Principal caching with authentication > > > > > On Tue, 13 Nov 2001, Bongiorno, Christian wrote: > > > Date: Tue, 13 Nov 2001 17:49:40 -0500 > > From: "Bongiorno, Christian" <[EMAIL PROTECTED]> > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > > To: 'Tomcat Users List' <[EMAIL PROTECTED]> > > Subject: Principal caching with authentication > > > > Here is something else I am wrestling with. When a user hits a protected > > page and authenticates, subsequent authentication requests for every page > > clicked on occurs. I have been reading that there is some sort of caching > > going on, but I still have my authenticate() method called even-though the > > user has been validated as having access roles for that session. So, maybe > > once again I am missing it, but, I could cache the credentials on my own > if > > I could get a session timeout event and the Principal it was using for > that > > session. I could just do a quick lookup on the principal to see if I have > it > > already -- if so return it, else get a new one. > > > > > > Am I thinking correctly? > > > > In Tomcat 4, the standard Authenticators cache authenticated principals in > the current session, ***if*** there is one (and assuming you do not turn > it off with configuration options). In the absence of sessions, your > Realm.authenticate() method will get called on every request. > > It is also common to see your authenticate() method called twice, even > when using sessions, if the session hasn't been created yet when > authentication occurs. But beyond that, as long as you're using sessions, > the authenticated Principal will be cached and reused throughout the life > of this session. > > > Chris > > > > Craig > > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> > -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>