-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Barbara,
Bárbara Vieira wrote: > My question is: why we are putting the Principal in the Request? So that request.getUserPrincipal() will return a value. > Why we can’t just authenticate the user if there is a principal in > internal Session?! Doesn’t make sense, put the Principal in the > Request, and after in the authentication method we just test if there > is a Principal in the Request and return true. A request may be checked multiple times for authentication (think server-side forwards, etc.) so it's a small optimization to cache the principal in the request -- and it satisfies the requirement that request.getUserPrincipal() actually works, so it makes sense. > In others words, what kind of security this process provides?! There will never be a Principal object that has not been properly authenticated. Is that good enough security for you? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHTaC89CaO5/Lv0PARArZNAJ9GTktlPVu1+Q3a9CMkxbtdAB5V4QCeJJwm K6u4yM6jdG/l+IA/p/WT0TI= =lF0e -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
