tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Luigi R. Viggiano" <>
Subject FORM Based Authentication... is it the correct behaviour?
Date Wed, 07 Aug 2002 13:45:11 GMT

some days ago I started using Form Based Authentication. Briefly, I found
that when user gets the error page intercepting 401 status code he lost his
credential information from session and must redo the log-in process.
I find it unconfortable, as if I want that I could invalidate the session in
the error page.

A more detailed report of the problem has been posted on jguru to find a
solution (I found myself this morning):

I've not checked yet if this is still the same behaviour for Tomcat 4.x
anyway I was thinking to comment those two lines in my installation's

class FormAuthHandler extends ServletWrapper {


    public void doService(Request req, Response res)
 throws Exception
 Context ctx=req.getContext();

 String page=ctx.getFormLoginPage();
 String errorPage=ctx.getFormErrorPage();

 HttpSession session=req.getSession( true );
 String username=(String)session.getAttribute( "j_username" );

 if( username != null ) {
     // session.removeAttribute( "j_username");
     // session.removeAttribute( "j_password");
     req.setAttribute("javax.servlet.error.message", errorPage );
     contextM.handleStatus( req, res, 302 ); // redirect


Thanks for your attention, let me know :-)

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message