tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierrick Terrettaz <>
Subject Re: realm login and user session are not the same
Date Thu, 21 Feb 2008 18:48:13 GMT

Caldarale, Charles R a écrit :
>> From: Pierrick Terrettaz [] 
>> Subject: realm login and user session are not the same
>> When a user logs in through the realm authentification 
>> FORM method in the website, the username and login are 
>> well checked but the user come in with the session of 
>> an other user with roles of this other user.
> This is almost certainly a problem in your webapp.  It's usually caused
> by storing request- or session-specific references in the wrong scope
> (e.g., placing a reference to the current request in a servlet instance
> or static field).
>  - Chuck

We will check in our code if there is any such references.

We are also using a ThreadLocal static reference in a class to store the
request.getUserPrincipal() to give the current username to beans which are not
access to the request :

public final class PrincipalStore
    private static final ThreadLocal store = new ThreadLocal();

    public static get()
        return (;

    public static void set(final principal)

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message