tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Field-Elliot <bryan_li...@netmeme.org>
Subject Re: JAASRealm/LoginManager questions
Date Fri, 14 Feb 2003 18:55:46 GMT
I was discussing these issues with Jason Hunter, whose opinion is
quoted:

BFE> Craig was basically saying, don't assume any particular behavior
which
BFE> isn't specified in the spec. So, it's not safe to assume that it
will
BFE> be supported to POST to j_security_check a couple of requests
later,
BFE> rather than on the very next request. Bum deal. 

JH> That makes perfect sense.  The one argument you have back is that
Tomcat
JH> is the RI so if Tomcat does it then that's how it should be done,
and
JH> then ask him to make sure Tomcat does it.

What do you say, Craig? ;)

It really opens doors, flexibility-wise, to store the "original URL
which triggered the authentication request" as a session attribute, and
allow multiple requests to occur in the interim, before the authN
request should be considered "satisfied" by a POST to j_security_check.

It presupposes that none of these intervening requests can be protected
by a security constraint, otherwise you'd throw the container into an
endless loop. ;)

Thanks,

Bryan

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message