You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2010/12/16 20:00:31 UTC

DO NOT REPLY [Bug 12428] request.getUserPrincipal(): Misinterpretation of specification?

https://issues.apache.org/bugzilla/show_bug.cgi?id=12428

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |WONTFIX

--- Comment #23 from Mark Thomas <ma...@apache.org> 2010-12-16 14:00:15 EST ---
Having looked at this further this is no need for a patch. Tomcat has the
necessary functionality to do this. You just need to ensure that a) the
application is using sessions and b) that the authenticators are configured to
cache the authenticated Principal in the session.

A recent enhancement to Tomcat 7 (the alwaysUseSession attribute) will make
this even easier. On earlier versions, ensure a session exists before the
authentication takes place. Depending on circumstances that might require a
valve.

Marking this as WONTFIX since the patch isn't going to be applied.

The other advantage of this approach is that the handling of fail unprompted
authentications does not need to be considered. There were issues with
complying with RFC2617 with that approach and it couldn't possible work with
DIGEST auth.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org