You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Jeff Tulley <JT...@novell.com> on 2003/05/12 22:40:57 UTC
Re: [Patch] Handling of authentication success
but authorizationfailure
This patch for sure works for the FORM authentication case, and doesn't
change the behavior of basic authentication.
The hang turned out to be due to the fact that I was not checking for a
null session.
As for using forwards instead of redirects in FormAuthenticator, I have
no opinion on the subject. It seems to me that redirects work well
enough. I guess I'd have to see an actual forward example to see the
difference and why you'd want to do that instead.
Can this change be made in Tomcat 4 as well? That is what I am most
interested in. At least the clearing of the Session Principals since
not doing so leads to a very frustrating user experience.
And, I still need to figure out how to do the equivalent clearing of
principals during a basic authentication.
Jeff Tulley (jtulley@novell.com)
(801)861-5322
Novell, Inc., The Leading Provider of Net Business Solutions
http://www.novell.com
>>> remm@apache.org 5/12/03 1:21:14 PM >>>
Jeff Tulley wrote:
> Actually, I forgot to consider the basic authentication case with
that
> patch. It seems easy enough with the second half of my fix, I just
send
> the same old error message if there is no error page defined. That
> seems to work. But, my code:
>
> Session session = getSession(hrequest);
> session.setPrincipal(null);
>
> seems to hang the basic authentication process. Does anybody know of
a
> better way to clear out the user credentials/principal that would
work
> with both types of authentication? I'll keep researching it and
> hopefully submit a better patch soon.
I was about to post an objection about the difference in behavior with
BASIC.
If it can be made to be consistent between auth methods, I would be ok
to consider making the change to Tomcat 5.
Other improvements could be considered for FORM auth (and make it
behave
exactly like BASIC from the user perspective, which is the goal, using
forwards instead of redirects).
Remy
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org