You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Dan Allen <da...@mojavelinux.com> on 2003/04/01 20:31:49 UTC
JDBCrealm drops user after manager reload
I am having a fairly painful problem here dealing with
authentication using the JDBCReam and container managed security.
In particular I am using securityfilter, but I seriously doubt that
this problem involves that application directly.
If I use the default SecurityRealm that comes with the security
filter application, which just manual sets the userInRole and
getRemoteUser information, I can reload the context over and over
and never drop the user. When I use JDBCReam to handle users in a
database and I reload the context after logging in all the active
sessions loose their security principals and roles. The thing is,
all the session data is still there, working as normal. I get no
messages in the log files regarding a failure of any kind.
In short:
Why does a context reload kill the user principal information and
how can I fix it?
To duplication:
Grab securityfilter from securityfilter.sourceforge.net Log in out
of the box, reload the context and view the securePage.jsp again.
No problem. Now, change the realm to JDBCRealm, login, reload
the context and visit the securePage.jsp...aha, now it says you are
not logged in and takes you to the login page.
Dan
--
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Daniel Allen, <da...@mojavelinux.com>
http://www.mojavelinux.com/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
"This is a test of the Emergency Broadcast System. If this had
been an actual emergency, do you really think we'd stick around
to tell you?"
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: JDBCrealm drops user after manager reload
Posted by Dan Allen <da...@mojavelinux.com>.
Filip Hanik (mail@filip.net) wrote:
> I believe that during restart of a context, all sessions get serialized to
> disk.
> but the serialization does not serialize the principal. You can try to file
> a bug for this, but I might be afraid that it may get shutdown because of
> security concerns
Well here is the issue. I am running a site, I need to upgrade a
few things and all my users just got kicked off in the process.
This seems to me like a major problem. Am I supposed to wait until
3 in the morning to implement updates to the code? This just seems
unreasonable. While keeping all session data you loose the one part
of it that holds it all together?
Dan
--
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Daniel Allen, <da...@mojavelinux.com>
http://www.mojavelinux.com/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Microsoft's Law of Software Engineering:
Don't worry if it doesn't work right.
If everything did, we'd be out of a job.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: JDBCrealm drops user after manager reload
Posted by Filip Hanik <ma...@filip.net>.
I believe that during restart of a context, all sessions get serialized to
disk.
but the serialization does not serialize the principal. You can try to file
a bug for this, but I might be afraid that it may get shutdown because of
security concerns
Filip
> -----Original Message-----
> From: Dan Allen [mailto:dan@mojavelinux.com]
> Sent: Tuesday, April 01, 2003 10:32 AM
> To: tomcat-user@jakarta.apache.org
> Cc: max@maxcooper.com
> Subject: JDBCrealm drops user after manager reload
>
>
> I am having a fairly painful problem here dealing with
> authentication using the JDBCReam and container managed security.
> In particular I am using securityfilter, but I seriously doubt that
> this problem involves that application directly.
>
> If I use the default SecurityRealm that comes with the security
> filter application, which just manual sets the userInRole and
> getRemoteUser information, I can reload the context over and over
> and never drop the user. When I use JDBCReam to handle users in a
> database and I reload the context after logging in all the active
> sessions loose their security principals and roles. The thing is,
> all the session data is still there, working as normal. I get no
> messages in the log files regarding a failure of any kind.
>
> In short:
>
> Why does a context reload kill the user principal information and
> how can I fix it?
>
> To duplication:
>
> Grab securityfilter from securityfilter.sourceforge.net Log in out
> of the box, reload the context and view the securePage.jsp again.
> No problem. Now, change the realm to JDBCRealm, login, reload
> the context and visit the securePage.jsp...aha, now it says you are
> not logged in and takes you to the login page.
>
> Dan
>
> --
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Daniel Allen, <da...@mojavelinux.com>
> http://www.mojavelinux.com/
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> "This is a test of the Emergency Broadcast System. If this had
> been an actual emergency, do you really think we'd stick around
> to tell you?"
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org