tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kwan Lim <kwan....@gmail.com>
Subject Re: What is the expected behaviour for system property: "org.apache.catalina.core.StandardHostValve.ACCESS_SESSION=false"
Date Mon, 11 Sep 2017 15:44:39 GMT
Thanks Mark. Makes sense and the configuration change did the trick!

On Mon, Sep 11, 2017 at 10:05 AM, Mark Thomas <markt@apache.org> wrote:

> On 11/09/17 14:21, Kwan Lim wrote:
> > Thanks Mark. You are correct that I'm using my own application which
> looks
> > like the problem is the NonLoginAuthenticator valve is calling
> > getInternalSession() (via the AuthenticatorBase class's invoke() method).
> > Is there a way to bypass this? I'm guessing the ROOT application bypasses
> > the StandardHostValve? It looks like the code is trying to cache an
> > authenticated Principal on the request which is something we do not need
> > for our app since we do our own authentication.
>
> There are several things going on here.
>
> If a web application is not marked as metadata complete in web.xml OR it
> declares security constraints in web.xml then Tomcat needs an
> authenticator to be present.
>
> The ROOT web application does meet either of these criteria hence no
> Authenticator is configured so nothing tries to access the session.
>
> If either of the above are true and no login configuration is present in
> web.xml, Tomcat automatically adds the NonLoginAuthenticator.
>
> By default, every authenticator checks the session for a cached
> Principal. This is configurable.
>
> You need to explicitly configure the NonLoginAuthentactor and set cache
> to false. Something like the following (untested).
>
> <Context>
>   <Valve className="org.apache.catalina.authenticator.
> NonLoginAuthenticator"
>     cache="false" />
> </Context>
>
> HTH,
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message