Christopher Schultz <chris <at> christopherschultz.net> writes: > Accessing a protected resource triggers an authorization check, which > also required authentication. Some realms cache authentication > information while others do not. The authenticator is a Valve which > uses the Realm to perform the authentication and gather authorization > information (e.g. roles). If the user isn't authenticated, then they > are challenged for credentials (login form, SSL client certificate, > HTT BASIC/DIGEST auth, etc.) and the credentials they provide are then > fed back into the realm to authenticate the user. Then the roles are > checked for authorization.
ok, thanks for this explanation, that's makes it more clear for me. One more question about "...Accessing a protected resource..." Which resources are protected is decided by what kind of configuration? Because I do nothing special for this, I think that my configuration is using the normal defaults for BASIC authentification. Perhaps there is some potential space to increase performance by disable this authentification for a lot of request types. Because I will have some issues with the administration of my session handling, can I also influence the JSESSION generation with such kind of configuration or is this done by the used browser only? Background for this question: Now I recognize, when I open a new instance of f.e. an IExplorer with my home url, this new instance use the same JSESSION id, what the parallel running instance is also using. Is it possible to configure this in the tomcat instance or couldn't I influence this behaviour? kind regards Arno --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
