tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Schmeets" <ma...@chipware.com>
Subject RE: j_username in session cookie - where did it go?
Date Wed, 14 Aug 2002 14:54:04 GMT
whoa, that seems like a very oversimplified answer. Some of us require
security at the data level too. A "solution" like that makes Tomcat's
authentication useless in that situation...


Mark


-----Original Message-----
From: Craig R. McClanahan [mailto:craigmcc@apache.org]
Sent: Tuesday, August 13, 2002 11:11 PM
To: Tomcat Users List
Subject: Re: j_username in session cookie - where did it go?




On Tue, 13 Aug 2002, Ed Thompson wrote:

> Date: Tue, 13 Aug 2002 22:56:32 -0400
> From: Ed Thompson <ethompson7@carolina.rr.com>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> Subject: Re: j_username in session cookie - where did it go?
>
> I was also scrapping the password - used j_userbane and j_passwd  for
> database access.
>

There is no portable way to do that.  And Tomcat 4 does not expose them,
because the password because it is none of the app's business -- the user
is either authenticated or not.

> Any hints on that one?

Re-architect your app so that it needs only the username.

Craig


>
> ----- Original Message -----
> From: "Craig R. McClanahan" <craigmcc@apache.org>
> To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> Sent: Tuesday, August 13, 2002 10:41 PM
> Subject: Re: j_username in session cookie - where did it go?
>
>
> >
> >
> > On Tue, 13 Aug 2002, Ed Thompson wrote:
> >
> > > Date: Tue, 13 Aug 2002 21:57:53 -0400
> > > From: Ed Thompson <ethompson7@carolina.rr.com>
> > > Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> > > To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> > > Subject: j_username in session cookie - where did it go?
> > >
> > > I have just upgraded (uninstalled and reintsalled) from Tomcat 3.2 to
> > > Tomcat 4.0.4.
> > >
> > > I am using form based authentication, and found under 3.2 I could pull
> > > j_username out of the session cookie after authenticaion was done.
> > >
> >
> > That's not how it really worked under 3.2, although if you are using
BASIC
> > authentication you could decode the username out of the "Authorization"
> > header.
> >
> > > Now under Tomcat 4 it doesn't seem to be there.  I know I tried it
under
> > > Tomcat 4.0.1 before I upgraded and it worked, but not after
uninstalling
> 3.2
> > > and installing 4.0.4 from scratch..
> > >
> > > Can anyone shed light on what is (not) happening?  Have the rules
> changed or
> > > have I not cfg'd something properly?
> > >
> >
> > The portable way to get ahold of the authenticated username is to call
> > request.getRemoteUser().  See the servlet spec for more details on
> > container managed security:
> >
> > http://java.sun.com/products/servlet/download.html
> >
> > > Thanx!
> > > Ed
> >
> > Craig
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail:
> <mailto:tomcat-user-help@jakarta.apache.org>
> >
>
>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message