Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Date: Fri, 6 Oct 2000 20:33:41 -0700 (PDT)
From: kenneth topp <caught@prodigy.net>
To: tomcat-user@jakarta.apache.org
Subject: Re: Sharing sessions across contexts?
In-Reply-To: <39DE8F47.927D0A74@eng.sun.com>
Message-ID: <Pine.LNX.4.21.0010062000060.1102-100000@dynasty>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII


On Fri, 6 Oct 2000, Craig R. McClanahan wrote:

> kenneth topp wrote:
> 
> > this is just an implementation of http authentication of rfc2617, no?
> >
> 
> I forgot to mention that Tomcat 4.0 supports all four login methods
> described in the servlet spec:

I need to read this spec!

> 
> * HTTP BASIC (from RFC2617)
> * HTTP DIGEST (also from RFC2617, does not send passwords
>   in cleartext across the network)

I don't think any used browsers support this yet.

> * Form-Based Login (from the servlet spec)

This sounds cool.  Just read the spec.  I'm not sure how you can (on
successful login) _redirect_ the user to the orginal stored URL with
request parameters intact.  I'm guessing that it will always stay the same
URL.  I don't think I solved redirecting browsers from request's stuffed
with POST data, and keeping them.  I guess the servlet container could
always play tricks (storing the data in the server, and feeding them into
the request on success).  Cannot wait to see the code for this.

> * SSL client certificate authentication

Nice.

I'm still struggling with how to merge these authentication systems with
the simple authorization schemes they tend to insist upon (ie: user can or
cannot do, based on the name or their group).

Well, anyway, thanks for the update!

Kenneth Topp