Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 97532 invoked from network); 26 Aug 2008 19:06:51 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 26 Aug 2008 19:06:51 -0000 Received: (qmail 90420 invoked by uid 500); 26 Aug 2008 19:06:37 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 90397 invoked by uid 500); 26 Aug 2008 19:06:37 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 90386 invoked by uid 99); 26 Aug 2008 19:06:37 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Aug 2008 12:06:37 -0700 X-ASF-Spam-Status: No, hits=-4.0 required=10.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [128.32.61.106] (HELO smtp-out1.berkeley.edu) (128.32.61.106) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Aug 2008 19:05:39 +0000 Received: from evans-203-003.lib.berkeley.edu ([169.229.199.161]) by fe1.calmail with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (auth plain:erumppe@library.berkeley.edu) (envelope-from ) id 1KY3oh-0001fz-5r for users@tomcat.apache.org; Tue, 26 Aug 2008 12:03:00 -0700 Message-ID: <48B4536B.2060903@library.berkeley.edu> Date: Tue, 26 Aug 2008 12:03:07 -0700 From: Erik Rumppe User-Agent: Thunderbird 2.0.0.16 (Windows/20080708) MIME-Version: 1.0 To: users@tomcat.apache.org Subject: Authentication Issues Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Hello All, I am having a very difficult time using Tomcat authentication. Here is the situation: For right now I am using BASIC authentication. There are 3 roles defined in the tomcat-users.xml file. To access different areas of my application requires different levels of roles. I want my users to be able to click on a link and if they don't meet the role requirement have the Authentication Requested login box pop-up so someone with the proper level of access can simply login right there and go to the requested screen. Instead of this happening all I get is an HTTP error page saying that the request resource is protected. The user then has to close their browser and re-open it to log in as another user with a different role. It would make sense to me that Tomcat has a way of handling this issue, but I can't for the life of me find it. HELP!!!! I have also tried to simply implement a logout function that removes the current session and (supposedly) deletes the persistent cookie and presents the user with a screen that has a link to a page that requires a login. It should (IMHO) present them with the login box once they click the link since the session and cookie were removed, but it doesn't. I've monitored the Tomcat sessions through the manager application and I know that the session is being removed for sure but it doesn't seem that the cookie is being removed. Here is the code for the utility that removes the session and cookie: package logic; import javax.servlet.http.*; import javax.servlet.http.HttpSession.*; import java.io.*; import javax.servlet.*; public class CookieUtil extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { HttpSession session = request.getSession(); session.invalidate(); Cookie[] cookies = request.getCookies(); for (int i=0; i