You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Bill Barker <wb...@wilshire.com> on 2003/09/29 05:21:02 UTC

Container level authentication

I'm a bit confused by the scope for authentication.  For purposes of
discussion, assume that there is a sub-section of my web-app that is
protected via:
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Protected Area</web-resource-name>
      <url-pattern>/protected/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>somerole</role-name>
    </auth-constraint>
  </security-constraint>

If a user successfully authenticates to access a resource in the 'Protected
Area', and then subsequently requests a non-protected page, is the Container
required to report (via request.getUserPrincipal/request.getRemoteUser) the
authentication information that was used to access the 'Protected Area' for
the request to the non-protected page?

The remark in section 12.6 that the "servlet container is required to track
authentication information at the container level" (except that this is
qualified in the same sentence), and the remark in section 12.10 that a
'null' value for request.getUserPrincipal "indicates that a user is logged
out", would seem to say that the user needs to be tracked for the entire
web-app.  However, I'm the first to admit to possibly reading more into this
than was intended.

I'm asking this, since at the moment Tomcat (and, therefore, presumably the
J2EE RI) does not track user authentication for requests to
non-authenticated pages.  I'm hoping that this issue can be clarified in the
final draft of the 2.4 spec.

Re: TC 3.3.2

Posted by Henri Gomez <hg...@apache.org>.

Bill Barker a écrit :

> ----- Original Message -----
> From: "Henri Gomez" <hg...@apache.org>
> To: "Tomcat Developers List" <to...@jakarta.apache.org>
> Sent: Monday, September 29, 2003 2:55 AM
> Subject: TC 3.3.2
> 
> 
> 
>>Hi to all,
>>
>>I commited the last part of clean imports and started to take a look
>>at bugzilla where many reports seems still open.
>>
>>What's the strategy now ?
>>
>>Should we close those which seems invalid ?
>>
> 
> 
> Without looking, I believe that most of the open bugs for 3.3 are either for
> the native connectors (and so are really j-t-c bugs), or for the
> Http10Interceptor (which we are deprecating/removing).  Of course, most of
> the 91 open Tomcat 3 bugs are for 3.2.x.

So we should make the 91 3.2.x bugs as WONTFIX and add a comment that 
3.2.x is deprecated and replaced by 3.3.x


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: TC 3.3.2

Posted by Henri Gomez <hg...@apache.org>.

Bill Barker a écrit :

> ----- Original Message -----
> From: "Henri Gomez" <hg...@apache.org>
> To: "Tomcat Developers List" <to...@jakarta.apache.org>
> Sent: Monday, September 29, 2003 2:55 AM
> Subject: TC 3.3.2
> 
> 
> 
>>Hi to all,
>>
>>I commited the last part of clean imports and started to take a look
>>at bugzilla where many reports seems still open.
>>
>>What's the strategy now ?
>>
>>Should we close those which seems invalid ?
>>
> 
> 
> Without looking, I believe that most of the open bugs for 3.3 are either for
> the native connectors (and so are really j-t-c bugs), or for the
> Http10Interceptor (which we are deprecating/removing).  Of course, most of
> the 91 open Tomcat 3 bugs are for 3.2.x.

So we should make the 91 3.2.x bugs as WONTFIX and add a comment that 
3.2.x is deprecated and replaced by 3.3.x

Re: TC 3.3.2

Posted by Bill Barker <wb...@wilshire.com>.

----- Original Message -----
From: "Henri Gomez" <hg...@apache.org>
To: "Tomcat Developers List" <to...@jakarta.apache.org>
Sent: Monday, September 29, 2003 2:55 AM
Subject: TC 3.3.2


> Hi to all,
>
> I commited the last part of clean imports and started to take a look
> at bugzilla where many reports seems still open.
>
> What's the strategy now ?
>
> Should we close those which seems invalid ?
>

Without looking, I believe that most of the open bugs for 3.3 are either for
the native connectors (and so are really j-t-c bugs), or for the
Http10Interceptor (which we are deprecating/removing).  Of course, most of
the 91 open Tomcat 3 bugs are for 3.2.x.

>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>

TC 3.3.2

Posted by Henri Gomez <hg...@apache.org>.

Hi to all,

I commited the last part of clean imports and started to take a look
at bugzilla where many reports seems still open.

What's the strategy now ?

Should we close those which seems invalid ?


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

TC 3.3.2

Posted by Henri Gomez <hg...@apache.org>.

Hi to all,

I commited the last part of clean imports and started to take a look
at bugzilla where many reports seems still open.

What's the strategy now ?

Should we close those which seems invalid ?