tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Container level authentication
Date Mon, 29 Sep 2003 03:21:02 GMT
I'm a bit confused by the scope for authentication.  For purposes of
discussion, assume that there is a sub-section of my web-app that is
protected via:
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/protected/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>somerole</role-name>
    </auth-constraint>
  </security-constraint>

If a user successfully authenticates to access a resource in the 'Protected
Area', and then subsequently requests a non-protected page, is the Container
required to report (via request.getUserPrincipal/request.getRemoteUser) the
authentication information that was used to access the 'Protected Area' for
the request to the non-protected page?

The remark in section 12.6 that the "servlet container is required to track
authentication information at the container level" (except that this is
qualified in the same sentence), and the remark in section 12.10 that a
'null' value for request.getUserPrincipal "indicates that a user is logged
out", would seem to say that the user needs to be tracked for the entire
web-app.  However, I'm the first to admit to possibly reading more into this
than was intended.

I'm asking this, since at the moment Tomcat (and, therefore, presumably the
J2EE RI) does not track user authentication for requests to
non-authenticated pages.  I'm hoping that this issue can be clarified in the
final draft of the 2.4 spec.



Mime
View raw message