tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mika Goeckel" <m...@stepstone.de>
Subject Re: Principal caching with authentication
Date Tue, 13 Nov 2001 23:23:05 GMT
Chris,

sessions are there by default, you can only avoid them by specifying in your
<%@ page session="false"> directive to disable them.
Sessions are in use once you declare a <jsp:usebean id="something"
scope"session"> with session as scope.

Cheers, Mika
:wq

----- Original Message -----
From: "Bongiorno, Christian" <Bongiorno.Christian@ensco.com>
To: "'Tomcat Users List'" <tomcat-user@jakarta.apache.org>
Sent: Wednesday, November 14, 2001 12:06 AM
Subject: RE: Principal caching with authentication


> How would I know if I was or wasn't using sessions? Maybe I don't
understand
> the use of the term correctly. What is the default? I can check the config
>
> -----Original Message-----
> From: Craig R. McClanahan [mailto:craigmcc@apache.org]
> Sent: Tuesday, November 13, 2001 5:48 PM
> To: Tomcat Users List
> Subject: Re: Principal caching with authentication
>
>
>
>
> On Tue, 13 Nov 2001, Bongiorno, Christian wrote:
>
> > Date: Tue, 13 Nov 2001 17:49:40 -0500
> > From: "Bongiorno, Christian" <Bongiorno.Christian@ensco.com>
> > Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> > To: 'Tomcat Users List' <tomcat-user@jakarta.apache.org>
> > Subject: Principal caching with authentication
> >
> > Here is something else I am wrestling with. When a user hits a protected
> > page and authenticates, subsequent authentication requests for every
page
> > clicked on occurs. I have been reading that there is some sort of
caching
> > going on, but I still have my authenticate() method called even-though
the
> > user has been validated as having access roles for that session. So,
maybe
> > once again I am missing it, but, I could cache the credentials on my own
> if
> > I could get a session timeout event and the Principal it was using for
> that
> > session. I could just do a quick lookup on the principal to see if I
have
> it
> > already -- if so return it, else get a new one.
> >
> >
> > Am I thinking correctly?
> >
>
> In Tomcat 4, the standard Authenticators cache authenticated principals in
> the current session, ***if*** there is one (and assuming you do not turn
> it off with configuration options).  In the absence of sessions, your
> Realm.authenticate() method will get called on every request.
>
> It is also common to see your authenticate() method called twice, even
> when using sessions, if the session hasn't been created yet when
> authentication occurs.  But beyond that, as long as you're using sessions,
> the authenticated Principal will be cached and reused throughout the life
> of this session.
>
> > Chris
> >
>
> Craig
>
>
> --
> To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
> Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>
>
> --
> To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
> Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>
>


--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message