On 11/09/17 14:21, Kwan Lim wrote: > Thanks Mark. You are correct that I'm using my own application which looks > like the problem is the NonLoginAuthenticator valve is calling > getInternalSession() (via the AuthenticatorBase class's invoke() method). > Is there a way to bypass this? I'm guessing the ROOT application bypasses > the StandardHostValve? It looks like the code is trying to cache an > authenticated Principal on the request which is something we do not need > for our app since we do our own authentication.
There are several things going on here. If a web application is not marked as metadata complete in web.xml OR it declares security constraints in web.xml then Tomcat needs an authenticator to be present. The ROOT web application does meet either of these criteria hence no Authenticator is configured so nothing tries to access the session. If either of the above are true and no login configuration is present in web.xml, Tomcat automatically adds the NonLoginAuthenticator. By default, every authenticator checks the session for a cached Principal. This is configurable. You need to explicitly configure the NonLoginAuthentactor and set cache to false. Something like the following (untested). <Context> <Valve className="org.apache.catalina.authenticator.NonLoginAuthenticator" cache="false" /> </Context> HTH, Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org