On Wed, 14 Aug 2002, Mark Schmeets wrote:
> Date: Wed, 14 Aug 2002 10:54:04 -0400
> From: Mark Schmeets <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: RE: j_username in session cookie - where did it go?
>
> whoa, that seems like a very oversimplified answer. Some of us require
> security at the data level too. A "solution" like that makes Tomcat's
> authentication useless in that situation...
>
If you base your data security on the fact that the container has already
authenticated the user (and if you trust the container), why do you need
the password again? You already know who the user is, and you can find
out if he/she has a particular role used to protect the data you are
checking for access rights to.
>
> Mark
Craig
>
>
> -----Original Message-----
> From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 13, 2002 11:11 PM
> To: Tomcat Users List
> Subject: Re: j_username in session cookie - where did it go?
>
>
>
>
> On Tue, 13 Aug 2002, Ed Thompson wrote:
>
> > Date: Tue, 13 Aug 2002 22:56:32 -0400
> > From: Ed Thompson <[EMAIL PROTECTED]>
> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > To: Tomcat Users List <[EMAIL PROTECTED]>
> > Subject: Re: j_username in session cookie - where did it go?
> >
> > I was also scrapping the password - used j_userbane and j_passwd for
> > database access.
> >
>
> There is no portable way to do that. And Tomcat 4 does not expose them,
> because the password because it is none of the app's business -- the user
> is either authenticated or not.
>
> > Any hints on that one?
>
> Re-architect your app so that it needs only the username.
>
> Craig
>
>
> >
> > ----- Original Message -----
> > From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> > To: "Tomcat Users List" <[EMAIL PROTECTED]>
> > Sent: Tuesday, August 13, 2002 10:41 PM
> > Subject: Re: j_username in session cookie - where did it go?
> >
> >
> > >
> > >
> > > On Tue, 13 Aug 2002, Ed Thompson wrote:
> > >
> > > > Date: Tue, 13 Aug 2002 21:57:53 -0400
> > > > From: Ed Thompson <[EMAIL PROTECTED]>
> > > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > > > To: Tomcat Users List <[EMAIL PROTECTED]>
> > > > Subject: j_username in session cookie - where did it go?
> > > >
> > > > I have just upgraded (uninstalled and reintsalled) from Tomcat 3.2 to
> > > > Tomcat 4.0.4.
> > > >
> > > > I am using form based authentication, and found under 3.2 I could pull
> > > > j_username out of the session cookie after authenticaion was done.
> > > >
> > >
> > > That's not how it really worked under 3.2, although if you are using
> BASIC
> > > authentication you could decode the username out of the "Authorization"
> > > header.
> > >
> > > > Now under Tomcat 4 it doesn't seem to be there. I know I tried it
> under
> > > > Tomcat 4.0.1 before I upgraded and it worked, but not after
> uninstalling
> > 3.2
> > > > and installing 4.0.4 from scratch..
> > > >
> > > > Can anyone shed light on what is (not) happening? Have the rules
> > changed or
> > > > have I not cfg'd something properly?
> > > >
> > >
> > > The portable way to get ahold of the authenticated username is to call
> > > request.getRemoteUser(). See the servlet spec for more details on
> > > container managed security:
> > >
> > > http://java.sun.com/products/servlet/download.html
> > >
> > > > Thanx!
> > > > Ed
> > >
> > > Craig
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > >
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >
> >
>
>
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
