tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierrick Terrettaz <tom...@electronet.ch>
Subject Re: realm login and user session are not the same
Date Thu, 21 Feb 2008 18:48:13 GMT


Caldarale, Charles R a écrit :
>> From: Pierrick Terrettaz [mailto:tomcat@electronet.ch] 
>> Subject: realm login and user session are not the same
>>
>> When a user logs in through the realm authentification 
>> FORM method in the website, the username and login are 
>> well checked but the user come in with the session of 
>> an other user with roles of this other user.
> 
> This is almost certainly a problem in your webapp.  It's usually caused
> by storing request- or session-specific references in the wrong scope
> (e.g., placing a reference to the current request in a servlet instance
> or static field).
> 
>  - Chuck
> 

We will check in our code if there is any such references.

We are also using a ThreadLocal static reference in a class to store the
request.getUserPrincipal() to give the current username to beans which are not
access to the request :

public final class PrincipalStore
{
    private static final ThreadLocal store = new ThreadLocal();

    public static java.security.Principal get()
    {
        return (java.security.Principal)store.get();
    }

    public static void set(final java.security.Principal principal)
    {
        store.set(principal);
    }
}

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message