geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <>
Subject [jira] Commented: (GERONIMO-5468) Support authenticate/login/logout methods in the HttpServletRequest interface
Date Tue, 14 Sep 2010 05:51:32 GMT


David Jencks commented on GERONIMO-5468:

I think that the Request.login method should never cache the authenticated user.  One of the
points of jaspic was to give the external authentication mechanism control over how and when
the authenticated user is cached (e.g. for form login).  However there's no way into the jaspic
workflow from this login method.

If a client wants to avoid requesting credentials on each request I think it needs to put
the credentials in a safe place (such as the session) itself and call the login() method on
each request.  I don't think the spec is very clear on this so I will try to get some expert

> Support authenticate/login/logout methods in the HttpServletRequest interface
> -----------------------------------------------------------------------------
>                 Key: GERONIMO-5468
>                 URL:
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Tomcat
>    Affects Versions: 3.0-M1, 3.0
>            Reporter: Ivan
>            Assignee: Han Hong Fang
>             Fix For: 3.0
>         Attachments: GERONIMO-5468-geronimo-2.diff, GERONIMO-5468-tomcat-fork.diff, GERONIMO-5468-tomcat-original.diff,
> In Servlet 3.0, authenticate/login/logout methods are added in the HttpServletRequest
interface, we need to support them in Geronimo's way.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message