tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bryan Field-Elliot <>
Subject Re: JAASRealm/LoginManager questions
Date Fri, 14 Feb 2003 18:55:46 GMT
I was discussing these issues with Jason Hunter, whose opinion is

BFE> Craig was basically saying, don't assume any particular behavior
BFE> isn't specified in the spec. So, it's not safe to assume that it
BFE> be supported to POST to j_security_check a couple of requests
BFE> rather than on the very next request. Bum deal. 

JH> That makes perfect sense.  The one argument you have back is that
JH> is the RI so if Tomcat does it then that's how it should be done,
JH> then ask him to make sure Tomcat does it.

What do you say, Craig? ;)

It really opens doors, flexibility-wise, to store the "original URL
which triggered the authentication request" as a session attribute, and
allow multiple requests to occur in the interim, before the authN
request should be considered "satisfied" by a POST to j_security_check.

It presupposes that none of these intervening requests can be protected
by a security constraint, otherwise you'd throw the container into an
endless loop. ;)



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message