You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Taavi Tiirik <ta...@ibs.ee> on 2001/08/26 15:49:19 UTC

how to check if user is authenticated

I am doing form based login using JDBCRealm and for logging out
I call request.getSession().invalidate().

The problem is that after invalidation (duering the very same
request) I can still use request.getRemoteUser() and it returns
user name just like before calling session.invalidate().

What would be the proper way of asking if the user is logged
in or not? I cannot set any session attributes duering login
process since I am using tomcat's built in JDBCRealm
authentication.

Oh and I am using latest nightly build of Tomcat 4.0.

Thank you so much for your time

with best wishes,
Taavi

Re: how to check if user is authenticated

Posted by "Craig R. McClanahan" <cr...@apache.org>.

On Sun, 26 Aug 2001, Taavi Tiirik wrote:

> Date: Sun, 26 Aug 2001 15:49:19 +0200
> From: Taavi Tiirik <ta...@ibs.ee>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user@jakarta.apache.org
> Subject: how to check if user is authenticated
>
>
> I am doing form based login using JDBCRealm and for logging out
> I call request.getSession().invalidate().
>

By the way, this works only if you are using form-based login -- for BASIC
login you have to ask your user to log out.

> The problem is that after invalidation (duering the very same
> request) I can still use request.getRemoteUser() and it returns
> user name just like before calling session.invalidate().
>

That is because the authentication decision for *this* request was made at
the beginning of the request, and lasts for the entire length of that
request -- no matter what else happens.

> What would be the proper way of asking if the user is logged
> in or not? I cannot set any session attributes duering login
> process since I am using tomcat's built in JDBCRealm
> authentication.

The simplest thing would be to use an HttpSessionListener (a new listener
API added in servlet 2.3).  Such listeners are notified when a new session
is created (even if it's done by Tomcat) and destroyed.

>
> Oh and I am using latest nightly build of Tomcat 4.0.
>
> Thank you so much for your time
>
> with best wishes,
> Taavi
>
>
>
>

Craig McClanahan