-----BEGIN PGP SIGNED MESSAGE-----
On 9/14/16 3:59 AM, nclemeur wrote:
>>> I am using HttpServletRequest.login to authenticate users on an
>>> ajax call. This is working fine and the relevant realm is
>>> queried. However, on subsequent requests, I have quite often
>>> the remote user being null despite having the correct JSESSION
>>> cookie set from the login call.
>>> This is not happening always, but it is quite frequent.
>>> Interestingly, if a set an attribute in the session, that
>>> session and attributes are preserved in the subsequent
>>> Is there anything else that I should do to preserve
>>> authentication information? It is very strange that this
>>> process is working intermittently. As a workaround I am
>>> wrapping the request and overrides the
>>> getRemoteUser/getUserPrinciper/isUserInRole to get this
>>> information from the information I am storing in the session,
>>> but I would prefer to have this working without this workaround
>>> (for example the AccessLogValve does not report the user
>>> correctly when using that workaround).
>> Tomcat version?
>> What authentication, if any, do you have configured in web.xml?
>> Do you have any security constraints defined anywhere
>> (annotations or in web.xml)?
> I was having this problem in tomcat 8.0.35. I did try to reproduce
> it on a simpler setup on 8.0.37 and 8.5.5, but could not succeed...
> I'll try integrate my tests in my main app to see if I can
> reproduce it then.
Any chance this is a problem with cookies using the HttpOnly flag?
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org