You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Andreas Mohrig <an...@cadooz.de> on 2002/08/21 13:19:48 UTC
RE: tomcat4 + declarative security
The answers are "yes" and "yes". You can determine the user's
"logged-in-ness" with a call to "request.getRemoteUser()", which should
return "null" if he is not and his name (login) otherwise. This should
always be the case, regardless of the currently requested resource having a
security-constraint or nor, but of course a login will only be demanded if
it has such a constraint.
If you experience different behaviour, I will surely be interested to learn
about it.
Andreas Mohrig
-----Original Message-----
From: jfc [mailto:jfc100@btopenworld.com]
Sent: Wednesday, August 21, 2002 1:26 PM
To: tomcat-user@jakarta.apache.org
Subject: tomcat4 + declarative security
Hi,
I have two questions regarding declarative security ( I use
JBoss2.4.x+Tomcat4.0 + struts1.1, on suse linux7.2 - ):
1. Is tomcat 4 supposed to be able to distinguish previously
authenticated users from unauthenticated users?
I assumed the answer to this question is yes because otherwise the
user would have to undergo the entire authentication process repeatedly
for each request that he submits within a single session.
2. Is tomcat 4 supposed to be able to do the above (i.e. remember a
user's logged-in-ness) regardless of whether his current request was to
a secured resource? (again assume requests are within the same session).
cheers
jfc
--
To unsubscribe, e-mail:
<ma...@jakarta.apache.org>
For additional commands, e-mail:
<ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: tomcat4 + declarative security
Posted by jfc <jf...@btopenworld.com>.
Andreas Mohrig wrote:
>The answers are "yes" and "yes". You can determine the user's
>"logged-in-ness" with a call to "request.getRemoteUser()", which should
>return "null" if he is not and his name (login) otherwise. This should
>always be the case, regardless of the currently requested resource having a
>security-constraint or nor, but of course a login will only be demanded if
>it has such a constraint.
>
>If you experience different behaviour, I will surely be interested to learn
>about it.
>
>Andreas Mohrig
>-----Original Message-----
>From: jfc [mailto:jfc100@btopenworld.com]
>Sent: Wednesday, August 21, 2002 1:26 PM
>To: tomcat-user@jakarta.apache.org
>Subject: tomcat4 + declarative security
>
>
>Hi,
>
>I have two questions regarding declarative security ( I use
>JBoss2.4.x+Tomcat4.0 + struts1.1, on suse linux7.2 - ):
>
>1. Is tomcat 4 supposed to be able to distinguish previously
>authenticated users from unauthenticated users?
>
> I assumed the answer to this question is yes because otherwise the
>user would have to undergo the entire authentication process repeatedly
>for each request that he submits within a single session.
>
>2. Is tomcat 4 supposed to be able to do the above (i.e. remember a
>user's logged-in-ness) regardless of whether his current request was to
>a secured resource? (again assume requests are within the same session).
>
>cheers
>jfc
>
>
>--
>To unsubscribe, e-mail:
><ma...@jakarta.apache.org>
>For additional commands, e-mail:
><ma...@jakarta.apache.org>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
Right, well I have a situation where point 2 is not working. If I roll
my versions back to bundle jb243+tc40, I get the predicted behaviour of
which you speak.
What version/s are you using?
jfc
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>