On Fri, 16 Aug 2002, Scott Dayberry wrote:
> Date: Fri, 16 Aug 2002 11:11:53 -0600
> From: Scott Dayberry <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: 'Tomcat Users List' <[EMAIL PROTECTED]>
> Subject: RE: getRemoteUser() reset to null after authenticated user hits
> an unauthorized page
>
> Thanks for your response. I was hoping it wasn't a bug in 3.2.3, but rather
> a configuration problem, or that a workaround existed. :*) Does this bug
> exist in 3.3.1?
>
I haven't got a clue ... I've never used 3.3 for anything. I'm sure
others here can speak to that.
> I've been reluctant to upgrade to Tomcat 4 due to potential installation and
> compatibility issues with Apache 1.3.X, mod_jk.so, on both Solaris 2.6 and
> 2.8. Is this combination a clean upgrade on both OS's?
>
Likewise, you're better off asking some of the other folks who use the web
connectors, but my impression is that it should work well for you.
Craig
>
> > -----Original Message-----
> > From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, August 16, 2002 10:30 AM
> > To: Tomcat Users List
> > Subject: Re: getRemoteUser() reset to null after
> > authenticated user hits
> > an unauthorized page
> >
> >
> >
> >
> > On Fri, 16 Aug 2002, Scott Dayberry wrote:
> >
> > > Date: Fri, 16 Aug 2002 09:31:38 -0600
> > > From: Scott Dayberry <[EMAIL PROTECTED]>
> > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > > To: [EMAIL PROTECTED]
> > > Subject: getRemoteUser() reset to null after authenticated
> > user hits an
> > > unauthorized page
> > >
> > > I am using form-based authentication under Tomcat 3.2.3.
> > >
> > > I have 3 security-constraint sections in web.xml for 3
> > different user roles.
> > > If an already authenticated user selects a page to which he is not
> > > authorized, he is redirected to the form-error-page (I
> > thought this should
> > > be a 403-Forbidden error instead), and his authentication
> > is invalidated.
> > > (A getRemoteUser() call returning null at this point verifies this).
> > >
> > > The implication of this, is that he can no longer select
> > any pages that he
> > > IS authorized for, and must re-login. Is this a known bug
> > with Tomcat 3.2.3,
> > > expected behavior, or is there a configuration setting I am missing?
> > >
> >
> > Sounds like a bug in 3.2.3 (which is pretty ancient, by the
> > way). I think
> > 3.2.3 also failed to return getRemoteUser() correctly when you
> > successfully log on, and then navigate to a URL not protected by a
> > security constraint. Tomcat 4.0 and 4.1 handle that
> > situation correctly.
> >
> > > Thanks in advance,
> > > Scott
> > >
> >
> > Craig
> >
> >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > >
> > >
> >
> >
> > --
> > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> >
>
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
