I'm hoping someone can shed some light on a particular behavior I'm
experiencing with BASIC authentication and session cookies:
I've set up my servlet to use BASIC authentication and I'm my own very
simple realm implementation:
protected String getPassword(String username) { return "tomcat"; }
protected Principal getPrincipal(String username) {
List roles = new ArrayList();
roles.add("test");
return new GenericPrincipal(this, "tomcat", "tomcat", roles);
}
I have a Java client that connects to my servlet via a URL connection,
identical to the code in org.apache.catalina.ant.AbstractCatalinaTask,
passing in "tomcat" for user and password in the first request which works
great! In subsequent requests I pass back the sessionID (in a cookie
labeled "jsessionid"...) instead of the BASIC authentication, but my request
fails ["This request requires HTTP authentication (Unauthorized)"] although
my session ID is recognized by the servlet. I figured my initial
authentication was cached so that I only needed to send the session ID and
not pass the authentication string in the header each time - this seems to
be the behavior of the Manager App when I dump its Request/Response headers.
Any ideas how I can accomplish this from a Java client: only sending
authentication once, then using the session ID cookie from then on? What's
even stranger is that if I pass both the BASIC authentication header and my
session ID every time it works great and my session is recognized, but my
realm methods (see above) are never called, so the authentication must be
stashed somewhere?
Thanks for any help,
-Mark
