tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Tulley" <>
Subject Re: [Patch] Handling of authentication success but authorizationfailure
Date Mon, 12 May 2003 20:40:57 GMT
This patch for sure works for the FORM authentication case, and doesn't
change the behavior of basic authentication.
The hang turned out to be due to the fact that I was not checking for a
null session.

As for using forwards instead of redirects in FormAuthenticator, I have
no opinion on the subject.  It seems to me that redirects work well
enough.  I guess I'd have to see an actual forward example to see the
difference and why you'd want to do that instead.

Can this change be made in Tomcat 4 as well?  That is what I am most
interested in.  At least the clearing of the Session Principals since
not doing so leads to a very frustrating user experience.

And, I still need to figure out how to do the equivalent clearing of
principals during a basic authentication.

Jeff Tulley  (
Novell, Inc., The Leading Provider of Net Business Solutions

>>> 5/12/03 1:21:14 PM >>>
Jeff Tulley wrote:
> Actually, I forgot to consider the basic authentication case with
> patch.  It seems easy enough with the second half of my fix, I just
> the same old error message if there is no error page defined.  That
> seems to work.  But, my code:
> Session session = getSession(hrequest);
> session.setPrincipal(null);
> seems to hang the basic authentication process.  Does anybody know of
> better way to clear out the user credentials/principal that would
> with both types of authentication?  I'll keep researching it and
> hopefully submit a better patch soon.

I was about to post an objection about the difference in behavior with

If it can be made to be consistent between auth methods, I would be ok

to consider making the change to Tomcat 5.

Other improvements could be considered for FORM auth (and make it
exactly like BASIC from the user perspective, which is the goal, using

forwards instead of redirects).


To unsubscribe, e-mail: 
For additional commands, e-mail: 

View raw message