tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Franck Borel <>
Subject Re: Problems with JAAS-Realm
Date Fri, 21 Sep 2007 11:21:23 GMT
Salut David,

thanks very much for your answer!

>>  public SecurityConstraint[] findSecurityConstraints(Request request,
>> Context context) {
>>         HttpServletRequest req = request;    // catch Request
>>         session = req.getSession();          // catch session
>>         ipAddress = req.getRemoteAddr();
>> The problem:
>> In a first try this seems to work. But if more then one client try to
>> use the authentication, it catches the last IP address of the user who
>> makes a request and not the IP address of the current client I like to
>> authenticate:

>> So, the req.getRemoteAddr() seems to catch the information outside of
>> the current thread and I don't know why. Have someone an idea?

> req.getRemoteAddres() will get the address of that specific request,
> it's isolated from other simultaneous request, or lots of people would
> start getting problems using it. 
> I would be more enclined to take a look
> at where you are defining the session and ipAddress properties, it looks
> like they are class or instance level, where it's mandatory that Realm
> be ThreadSafe and stateless.

This sounds like as my problem seems to be elsewhere as I supposed. I have no 
idea where I should tell tomcat to keep the thread statefull. I tried to set 
some page directives on my login.jsp:

<%@ session="true %> (which I think is standard)
<%@ isThreadsafe="false" %>

This doesn't help. Of course, it can't work, cause the Realm is a valve and 
therefore the Realm is the part who calls the login.jsp page and the directives 
of the page appears, in manner of speaking, "to late".

How can I tell the Realm to get ThreadSafe? Or have I missunderstood something?

-- Franck

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message