You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Luigi R. Viggiano" <lu...@consulenti.csi.it> on 2002/08/07 15:45:11 UTC
FORM Based Authentication... is it the correct behaviour?
Hello,
some days ago I started using Form Based Authentication. Briefly, I found
that when user gets the error page intercepting 401 status code he lost his
credential information from session and must redo the log-in process.
I find it unconfortable, as if I want that I could invalidate the session in
the error page.
A more detailed report of the problem has been posted on jguru to find a
solution (I found myself this morning):
http://www.jguru.com/forums/view.jsp?EID=976587
I've not checked yet if this is still the same behaviour for Tomcat 4.x
anyway I was thinking to comment those two lines in my installation's
AccessInterceptor.java:
class FormAuthHandler extends ServletWrapper {
//...cut...
public void doService(Request req, Response res)
throws Exception
{
Context ctx=req.getContext();
String page=ctx.getFormLoginPage();
String errorPage=ctx.getFormErrorPage();
HttpSession session=req.getSession( true );
String username=(String)session.getAttribute( "j_username" );
if( username != null ) {
// session.removeAttribute( "j_username");
// session.removeAttribute( "j_password");
req.setAttribute("javax.servlet.error.message", errorPage );
contextM.handleStatus( req, res, 302 ); // redirect
return;
}
//...cut...
Thanks for your attention, let me know :-)
Luigi
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>