tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Luigi R. Viggiano" <luigi.viggi...@consulenti.csi.it>
Subject FORM Based Authentication... is it the correct behaviour?
Date Wed, 07 Aug 2002 13:45:11 GMT
Hello,

some days ago I started using Form Based Authentication. Briefly, I found
that when user gets the error page intercepting 401 status code he lost his
credential information from session and must redo the log-in process.
I find it unconfortable, as if I want that I could invalidate the session in
the error page.

A more detailed report of the problem has been posted on jguru to find a
solution (I found myself this morning):
http://www.jguru.com/forums/view.jsp?EID=976587

I've not checked yet if this is still the same behaviour for Tomcat 4.x
anyway I was thinking to comment those two lines in my installation's
AccessInterceptor.java:

class FormAuthHandler extends ServletWrapper {

    //...cut...

    public void doService(Request req, Response res)
 throws Exception
    {
 Context ctx=req.getContext();

 String page=ctx.getFormLoginPage();
 String errorPage=ctx.getFormErrorPage();

 HttpSession session=req.getSession( true );
 String username=(String)session.getAttribute( "j_username" );

 if( username != null ) {
     // session.removeAttribute( "j_username");
     // session.removeAttribute( "j_password");
     req.setAttribute("javax.servlet.error.message", errorPage );
     contextM.handleStatus( req, res, 302 ); // redirect
     return;
 }

      //...cut...

Thanks for your attention, let me know :-)
Luigi


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message