Thanks Mark. Makes sense and the configuration change did the trick! On Mon, Sep 11, 2017 at 10:05 AM, Mark Thomas <ma...@apache.org> wrote:
> On 11/09/17 14:21, Kwan Lim wrote: > > Thanks Mark. You are correct that I'm using my own application which > looks > > like the problem is the NonLoginAuthenticator valve is calling > > getInternalSession() (via the AuthenticatorBase class's invoke() method). > > Is there a way to bypass this? I'm guessing the ROOT application bypasses > > the StandardHostValve? It looks like the code is trying to cache an > > authenticated Principal on the request which is something we do not need > > for our app since we do our own authentication. > > There are several things going on here. > > If a web application is not marked as metadata complete in web.xml OR it > declares security constraints in web.xml then Tomcat needs an > authenticator to be present. > > The ROOT web application does meet either of these criteria hence no > Authenticator is configured so nothing tries to access the session. > > If either of the above are true and no login configuration is present in > web.xml, Tomcat automatically adds the NonLoginAuthenticator. > > By default, every authenticator checks the session for a cached > Principal. This is configurable. > > You need to explicitly configure the NonLoginAuthentactor and set cache > to false. Something like the following (untested). > > <Context> > <Valve className="org.apache.catalina.authenticator. > NonLoginAuthenticator" > cache="false" /> > </Context> > > HTH, > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
