Hans Wahn wrote:
Thanks for your friendly words and explanations.
Due to your thought the POST data of the first request may get
processed too late and mixup things, I altered the client source, so
the user credentials are only send after the inital call (on the
second request).
No, what I really meant was something like this : do the authentication before even the
first POST. The client should first request some resource inside the protected area, but
with a GET (for example, some static page). That will trigger the authentication cycle
(login page sent by the server, response with credentials by the client, server sending
the original requested page back (or a redirect to it).
Then, when the client has received this first static resource (and is authenticated for
that protected area), have it do the POST.
Then the POST itself will not be interrupted and/or repeated by the
authentication cycle.
But, if you are doing this using a form authentication, then there must be something (some
information) which is sent in the POST, which allows the server to determine that the
client is already authenticated. Normally, one does this by creating a "session" at the
server level, saving the authentication data inside that session information, then
returning a cookie to the client with the id of that session.
The client then, upon subsequent calls, adds this cookie to the requests, and this is what
allows the server to retrieve the corresponding saved session information, including that
the client is already authenticated, and thus to decide that it does not have to
authenticate the client again.
I believe that most of this should be "automatic", handled automatically by tomat and your
HttpClient, via the JSESSIONID cookie.
But re-examining your messages to the list and looking at your steps 3 and 4, I see that
the value of the JSESSIONID cookie changes in-between :
in step 3, you have :
2010/08/12 20:20:17:750 CEST [DEBUG] wire - >> "Cookie:
JSESSIONID=DA224C1B02E94524187858267D70A830[EOL]"
while in step 4, you have :
2010/08/12 20:20:17:796 CEST [DEBUG] wire - >> "Cookie:
JSESSIONID=A5FB87E6199EADB2AB18010DA295EC99[EOL]"
These are 2 different session-id's, thus I would think 2 distinct sessions.
Are you sure that there is not something wrong in your authentication logic ?
Or is it I who do not understand how these things are supposed to work ?
(generic question to the list)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
