On 11/09/17 14:21, Kwan Lim wrote:
> Thanks Mark. You are correct that I'm using my own application which looks
> like the problem is the NonLoginAuthenticator valve is calling
> getInternalSession() (via the AuthenticatorBase class's invoke() method).
> Is there a way to bypass this? I'm guessing the ROOT application bypasses
> the StandardHostValve? It looks like the code is trying to cache an
> authenticated Principal on the request which is something we do not need
> for our app since we do our own authentication.

There are several things going on here.

If a web application is not marked as metadata complete in web.xml OR it
declares security constraints in web.xml then Tomcat needs an
authenticator to be present.

The ROOT web application does meet either of these criteria hence no
Authenticator is configured so nothing tries to access the session.

If either of the above are true and no login configuration is present in
web.xml, Tomcat automatically adds the NonLoginAuthenticator.

By default, every authenticator checks the session for a cached
Principal. This is configurable.

You need to explicitly configure the NonLoginAuthentactor and set cache
to false. Something like the following (untested).

  <Valve className="org.apache.catalina.authenticator.NonLoginAuthenticator"
    cache="false" />



To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to