-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Felix,
On 7/21/15 11:13 AM, Felix Schumacher wrote: > > > Am 21. Juli 2015 17:50:43 MESZ, schrieb Arno > <arno.schae...@sqs.com>: >> Christopher Schultz <chris <at> christopherschultz.net> writes: >>> Accessing a protected resource triggers an authorization check, >>> which also required authentication. Some realms cache >>> authentication information while others do not. The >>> authenticator is a Valve which uses the Realm to perform the >>> authentication and gather authorization information (e.g. >>> roles). If the user isn't authenticated, then they are >>> challenged for credentials (login form, SSL client >>> certificate, HTT BASIC/DIGEST auth, etc.) and the credentials >>> they provide are >> then >>> fed back into the realm to authenticate the user. Then the >>> roles are checked for authorization. >> >> ok, thanks for this explanation, that's makes it more clear for >> me. One more question about "...Accessing a protected >> resource..." Which resources are protected is decided by what >> kind of configuration? Because I do nothing special for this, I >> think that my configuration is using the normal defaults for >> BASIC authentification. Perhaps there is some potential space to >> increase performance by disable this authentification for a lot >> of request types. > > You have to look in the web.xml of your webapp. Google for > security-constraints. Newer servlet api versions are able to set > those through annotation also. > >> >> Because I will have some issues with the administration of my >> session handling, can I also influence the JSESSION generation >> with such kind of configuration or is this done by the used >> browser only? Background for this question: Now I recognize, when >> I open a new instance of f.e. an IExplorer with my home url, this >> new instance use the same JSESSION id, what the parallel running >> instance is also using. Is it possible to configure this in the >> tomcat instance or couldn't I influence this behaviour? > > That is a feature of ie. It will share is cookies with all > windows. > > If you don't want to use cookies for the authentication (session), > you can use the cookies attribute on the context of your webapp. > See > http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Attributes . > > Alternatively you can use different browsers, different instances > of browsers that don't share their jar of cookies or use different > dns names or ip's and this creating different cookie domains. +1 Also, some browsers have modes where they don't share cookies, etc. with other windows. Google Chrome for example calls this "Incognito" and it can run a "normal" window next to an "incognito" one. Mozilla Firefox has a mode that doesn't persist anything to the disk, but you can't run it side-by-side with another "normal" window, you have to quit and re-start ff to switch modes. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVroBYAAoJEBzwKT+lPKRY3gsQAJf7Y/m363962K/DRmCM2vkv k21yy8uxBfLmGr16V5aAoONjAZIQYyJQ1gU1XIoKi70m4aefVz6gCTiV/eSG45wM gWmQBptjr2XEmR+PED3N9PBlHhnoUML4czUMZzPfZGpFEbiv3/W0eDitO8EHaw7Z BgGOUwVcdZFq/3lBZA3bahOKF00e3jVhcJIwup23mcfm+SN0anvNUqD46ptqguZ5 YH5daTM1iovTDIOYD1tMSpGBXkCBR9jqP7kAjz88THJbSXdCELjqOosHIhndVnnz jYFDS1C8MKSNXvilMNr4yJAFjgQtUAENvZlcxbvHQYmb7OO8R2Sh8PbIf/jGb2p1 e+8Tilpn1nJ4+gTVlbZ/5ohcwgUsjZc+O5kgEbjCCQ9Ox1GpYF0m2SXTcbUjbRmR 4Ffbh8bbAaUEP/ABh0vt0pDGVpkUZr+SOyNhgXQhuOJy4hCZ/QZK4e9Kal4e9odP mxSw8jdpF2pSP/HtYGAFVopz9/zzGyQE30likBOa6/MUyN6pveWaK6D6wVBWo7PR aUt7tQ/mhgN/HQu2mhCduBHxnzcbXyrx0vsAsC4y4unpvF/98XLxE17h0lDVseTD BQaHkaYvYdw9k9654TZ6pedlJMAF4eHVPLqrQznvvG0pU/im5b0emfHdrvFMev33 mT6vupZqoSU/aztzWGOT =OvvC -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
