tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Realm Authentication lost when tomcat is restarted
Date Fri, 05 Apr 2002 17:27:02 GMT


On Fri, 5 Apr 2002, Bill Gibbs wrote:

> Date: Fri, 5 Apr 2002 09:12:16 -0500
> From: Bill Gibbs <bgibbs@edurotech.com>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> To: tomcat-user@jakarta.apache.org
> Subject: Realm Authentication lost when tomcat is restarted
>
> I have a JDBCRealm setup that works great.  I can log in, it protects the
> resource I specified.
>
> But when I stop, then start tomcat, I lose the authentication and have to
> relogin.
>

Yep.  The sessions (and any serializable attributes) are saved across
restarts (even without setting up the persistent manager and file store),
but the fact that you've logged in is not.  I would consider it a security
risk to change this design.

One workaround to this would be to use BASIC authentication (at least for
development).  This succeeds because the browser keeps sending the
credentials with every request, so it automatically logs back on for you.
Of course, you can't log off by invalidating the session if you do this,
but ...

Craig


--
To unsubscribe:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands: <mailto:tomcat-user-help@jakarta.apache.org>
Troubles with the list: <mailto:tomcat-user-owner@jakarta.apache.org>


Mime
View raw message