Re: Form Authentication question

Mon, 30 Jul 2012 13:37:18 -0700 

On 30/07/2012 21:24, Kris Easter wrote:
> 
> I'm looking at the org.apache.catalina.authenticator.FormAuthenticator
> class from the 7.0.29 src.  This portion of the authenticate method
> starting around line 301 is where I'm having a little problem:
> 
> 
> if (log.isDebugEnabled()) {
>   log.debug("Authentication of '" + username + "' was successful");
> }
> 
> if (session == null) {
>    session = request.getSessionInternal(false);
> }
> 
> if (session == null) {
>   if (containerLog.isDebugEnabled()) {
>     containerLog.debug
>        ("User took so long to log on the session expired");
>   }
> 
> if (landingPage == null) {
> 
> response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
>                         sm.getString("authenticator.sessionExpired"));
>   } else {
>      // Make the authenticator think the user originally requested
>      // the landing page
>      String uri = request.getContextPath() + landingPage;
>      SavedRequest saved = new SavedRequest();
>      saved.setMethod("GET");
>      saved.setRequestURI(uri);
>      request.getSessionInternal(true).setNote(
>                         Constants.FORM_REQUEST_NOTE, saved);
>      response.sendRedirect(response.encodeRedirectURL(uri));
>   }
>  return (false);
> }
> 
> 
> If the user sits too long on the login page the session times out, even
> if their credentials were authenticated successfully, and sends them
> back to the login page where they must re-enter their credentials.  It
> works this way even if I define a landingPage.  Without a landingPage I
> get the dreaded 408 error.
> 
> Can anyone enlighten me as to why it's a bad idea if:
> 
>  if (session == null) {
>    session = request.getSessionInternal(false);
>  }
> 
> is instead:
> 
>  if (session == null) {
>   session = request.getSessionInternal(true);
>  }

Because the session defines where to go after the authentication i.e.
which page the user requested originally. I suppose we could allow the
user to transition to the landing page in that case.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to