tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bongiorno, Christian" <>
Subject RE: Principal caching with authentication
Date Tue, 13 Nov 2001 23:06:53 GMT
How would I know if I was or wasn't using sessions? Maybe I don't understand
the use of the term correctly. What is the default? I can check the config

-----Original Message-----
From: Craig R. McClanahan []
Sent: Tuesday, November 13, 2001 5:48 PM
To: Tomcat Users List
Subject: Re: Principal caching with authentication

On Tue, 13 Nov 2001, Bongiorno, Christian wrote:

> Date: Tue, 13 Nov 2001 17:49:40 -0500
> From: "Bongiorno, Christian" <>
> Reply-To: Tomcat Users List <>
> To: 'Tomcat Users List' <>
> Subject: Principal caching with authentication
> Here is something else I am wrestling with. When a user hits a protected
> page and authenticates, subsequent authentication requests for every page
> clicked on occurs. I have been reading that there is some sort of caching
> going on, but I still have my authenticate() method called even-though the
> user has been validated as having access roles for that session. So, maybe
> once again I am missing it, but, I could cache the credentials on my own
> I could get a session timeout event and the Principal it was using for
> session. I could just do a quick lookup on the principal to see if I have
> already -- if so return it, else get a new one.
> Am I thinking correctly?

In Tomcat 4, the standard Authenticators cache authenticated principals in
the current session, ***if*** there is one (and assuming you do not turn
it off with configuration options).  In the absence of sessions, your
Realm.authenticate() method will get called on every request.

It is also common to see your authenticate() method called twice, even
when using sessions, if the session hasn't been created yet when
authentication occurs.  But beyond that, as long as you're using sessions,
the authenticated Principal will be cached and reused throughout the life
of this session.

> Chris


To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message