tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André de Jesus <>
Subject Re: Caching Login Info in Tomcat 3.2.x
Date Tue, 02 Oct 2001 13:03:04 GMT

If you are using container-managed authentication (the system that comes 
with Tomcat, that is configured for each Realm in the file server.xml), 
then the user roles and passwords are already automatically cached for 
each session (the isUserInrole() function and other similar functions do 
not trigger database accesses every time).

If, on the other hand, you are authenticating the users with you own 
authentication system, then you could cache the authentication 
information in a session object (this is exactly what Tomcat does by 
default). Then, all private pages would check if the session object 
exists and if the user has been authenticated before displaying the 
private information.

The only publicly visible key to this object is the session id, so all 
security problems could come from this session key being known to 
intermediate parties. Depending from the security level required by your 
application, you could consider setting lower expiration times for the 
session (or even explicitly expiring the session once some user 
operations have been successfully completed, with 
setMaxInactiveInterval()), or protecting the http communication with SSL.

Andre de Jesus

Renato Romano wrote:

>I would like Tomcat avoiding to access the DB for EVERY ACCESS to a reserved
>page. I think the best way to do this (apart from upgrading to Tomcat 4.0
>!!) is to store the login info, or maybe just a flag "I'm authenticated", in
>the session object. Does anyone already made something similar ? Should I
>only redefine methods in my Realm object ? Is there some security issue I'm
>not taking care of ??

André de Jesus <>
TEKTIX - Consultoria em Sistemas de Informação, L.da

View raw message