tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Principal caching with authentication
Date Tue, 13 Nov 2001 22:48:22 GMT


On Tue, 13 Nov 2001, Bongiorno, Christian wrote:

> Date: Tue, 13 Nov 2001 17:49:40 -0500
> From: "Bongiorno, Christian" <Bongiorno.Christian@ensco.com>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> To: 'Tomcat Users List' <tomcat-user@jakarta.apache.org>
> Subject: Principal caching with authentication
>
> Here is something else I am wrestling with. When a user hits a protected
> page and authenticates, subsequent authentication requests for every page
> clicked on occurs. I have been reading that there is some sort of caching
> going on, but I still have my authenticate() method called even-though the
> user has been validated as having access roles for that session. So, maybe
> once again I am missing it, but, I could cache the credentials on my own if
> I could get a session timeout event and the Principal it was using for that
> session. I could just do a quick lookup on the principal to see if I have it
> already -- if so return it, else get a new one.
>
>
> Am I thinking correctly?
>

In Tomcat 4, the standard Authenticators cache authenticated principals in
the current session, ***if*** there is one (and assuming you do not turn
it off with configuration options).  In the absence of sessions, your
Realm.authenticate() method will get called on every request.

It is also common to see your authenticate() method called twice, even
when using sessions, if the session hasn't been created yet when
authentication occurs.  But beyond that, as long as you're using sessions,
the authenticated Principal will be cached and reused throughout the life
of this session.

> Chris
>

Craig


--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message