Hi,
In TC 3.x authenticate() method of a realm is called for every request.
(I gather this is changed in 4.x).
I am implementing a JAAS Realm which authenticates against a back end
EJB user realm. I want to avoid this authentication for every request
so I have done the following in authenticate()
authenticate()
{
...
JAASRealmPrincipal principal = new
JAASRealmPrincipal(principalName, lc.getSubject());
// Set principal into Tomcat
req.setUserPrincipal(principal);
...
}
so, now if I call getUserPrincipal() I get my JAAS realm that now sits
inside tomcat's RequestImpl.
In 3.2.2b1 the req.getUserPrincipal() method created a SimplePrincipal
if the principal was null so it never returned null.
In 3.2.2b4 it is changed (same as 3.3) and now returns null if there is
no principal. So, it is sufficient to do this in authenticate()?
--------------------
if (req.setUserPrincipal(principal) == null)
{
// User not authenticated... do authentication
...
JAASRealmPrincipal principal = new
JAASRealmPrincipal(principalName, lc.getSubject());
// Set principal into Tomcat
req.setUserPrincipal(principal);
...
}
else
// User already authenticated...
return true;
--------------------
I am assuming the RequestImpl is a per HTTP session object. Is this
correct? So, each different HTTP session will get a different
RequestImpl?
If so, when HTTP session times out the authentication for that user is
lost. Is it possible to keep the HTTP session alive beyond the
configured timeout through some keep alive mechanism? I have a logical
session that is container independent and there may have been activity
on that session that is not related to the HTTP session and so I want to
prevent Tomcat from losing the authenticated context.
How does this fit into TC4?
Best regards
Antony
--
Antony Bowesman
Teamware Group
[EMAIL PROTECTED]
tel: +358 9 5128 2562
fax: +358 9 5128 2705
