Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@www.apache.org Received: (qmail 32360 invoked from network); 21 Apr 2005 06:17:44 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 21 Apr 2005 06:17:44 -0000 Received: (qmail 82555 invoked by uid 500); 21 Apr 2005 06:17:26 -0000 Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org Received: (qmail 82516 invoked by uid 500); 21 Apr 2005 06:17:26 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 82484 invoked by uid 99); 21 Apr 2005 06:17:25 -0000 X-ASF-Spam-Status: No, hits=0.2 required=10.0 tests=NO_REAL_NAME X-Spam-Check-By: apache.org Received: from ajax-1.apache.org (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.28) with ESMTP; Wed, 20 Apr 2005 23:17:25 -0700 Received: by ajax.apache.org (Postfix, from userid 99) id 3328C2DF; Thu, 21 Apr 2005 08:17:11 +0200 (CEST) From: bugzilla@apache.org To: tomcat-dev@jakarta.apache.org Subject: DO NOT REPLY [Bug 34549] New: - isUserInRole() on non-secure pages X-Bugzilla-Reason: AssignedTo Message-Id: <20050421061711.3328C2DF@ajax.apache.org> Date: Thu, 21 Apr 2005 08:17:11 +0200 (CEST) X-Virus-Checked: Checked X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG� RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND� INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=34549 Summary: isUserInRole() on non-secure pages Product: Tomcat 5 Version: 5.5.9 Platform: PC OS/Version: Windows XP Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: oleg.timoshenko@xantic.net Tomcat 5.5.9. I have two JSPs: /a.jsp and /secure/b.jsp Deployment descriptor (related parts): Protected Area /security/* DELETE GET POST PUT AGENT BASIC Web Portal Authentification Realm AGENT In the body of each web page I have the following scriptlet: <%=request.isUserInRole("AGENT")%> I access web pages using the following two scenarios: ======================== Scenario 1 (correct behaviour): Action [Result] 1) /a.jsp [page a is displayed, scriptlet outputs "false"] - Correct 2) /security/b.jsp [authorization request, I supply credentials of the user which is has AGENT Role; page b is displayed, scriptlet outputs "true"] - Correct 3) /a.jsp [same as 1)] - Correct ======================== Scenario 2 (step 2 produces incorrect output): 1) /security/b.jsp [authorization request, I supply credentials of the user which has AGENT Role; page b is displayed, scriptlet outputs "true"] 2) /a.jsp [page a is displayed, scriptlet outputs "false", both request.getUserPrincipal() and request.getRemoteUser() give "null"] - WRONG 3) /security/b.jsp [page b is displayed, scriptlet outputs "true"] - Correct 4) /a.jsp [page a is displayed, scriptlet outputs "true"] - Correct. Note: I instruct browsers not to cache pages by including the following scriptlet at the beginning of both pages /a.jsp and /security/b.jsp: <% response.setHeader("Cache-Control","no-cache"); response.setHeader("Pragma","no-cache"); %> -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org