tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: Detect in an authenticator whether a connection is persistent or not
Date Sat, 27 Oct 2012 14:57:22 GMT
On 27/10/2012 14:50, Michael-O wrote:
> Hi,
> several authentication mechanisms require a session (*not* HTTP session)
> or connection being initiated when authentication is performed and
> principal cached for subsquent requests [1], [2].
> Now, I want to patch our SPNEGO authenticator in Tomcat 6 to behave
> stateful. I once contributed that code to Apache in bug 48465 [3] which
> does not behave like that. I like to align both authenticators.
> This issue initially popped up while fixing an issue in libserf [4] for
> the upcoming Apache Subversion version 1.8.0.
> How do I access that information in an authenticator? I do not intend to
> create a HTTP session for that for two reasons:
> 1. Creation of sessions should be upto the webapp.
> 2. There is no guarantee that the client will present the session cookie
> on a subsequent request.

The only mechanism to maintain state between HTTP requests is the HTTP
session. You might be able to hack something together (in a non-portable
way) on a per connection basis but that is likely to require some rather
major internal surgery for Tomcat (and may be rejected by the committers).

It isn't unreasonable for use of an authentication to require an HTTP
session. FORM auth does that so I don't immediately see why SPNEGO can't.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message