You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Navjot Singh <na...@net4india.net> on 2004/06/30 12:04:58 UTC

[OT] JAAS behaviour

Hi,

When we have a checked URI and we authenticate successfully, the 
principal is available from current request object. However, if we 
navigate to an unchecked URL (i mean with no security-constraint 
imposed) then the principal is not available.

I thought that the JAAS implementations save the principal in 
HttpSession after authentication. But NO. Jboss seems to save this 
principal information *somewhere* and if web-resource with 
security-constraint is asked for, it checks, retreive and save principal 
info in request object.

Where does Jboss's JAAS impl store the authenticated principals and it's 
mapping with session ids?? and why not just save it in usual session?

Any insights.

TIA
Navjot Singh

Sign on Tombstone: "Here lies an atheist, all dressed up and nowhere to go."

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org