tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Mohrig <>
Subject RE: tomcat4 + declarative security
Date Wed, 21 Aug 2002 11:19:48 GMT
The answers are "yes" and "yes". You can determine the user's
"logged-in-ness" with a call to "request.getRemoteUser()", which should
return "null" if he is not and his name (login) otherwise. This should
always be the case, regardless of the currently requested resource having a
security-constraint or nor, but of course a login will only be demanded if
it has such a constraint.

If you experience different behaviour, I will surely be interested to learn
about it.

Andreas Mohrig
-----Original Message-----
From: jfc []
Sent: Wednesday, August 21, 2002 1:26 PM
Subject: tomcat4 + declarative security


I have two questions regarding declarative security ( I use 
JBoss2.4.x+Tomcat4.0 + struts1.1, on suse linux7.2  - ):

1.    Is tomcat 4 supposed to be able to distinguish previously 
authenticated users from unauthenticated users?

    I assumed the answer to this question is yes because otherwise the 
user would have to undergo the entire authentication process repeatedly 
for each request that he submits within a single session.

2.    Is tomcat 4 supposed to be able to do the above (i.e. remember a 
user's logged-in-ness) regardless of whether his current request was to 
a secured resource? (again assume requests are within the same session).


To unsubscribe, e-mail:
For additional commands, e-mail:

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message