-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ken,

Ken Moore wrote:
> We use basic authentication for web services. I'd like to flush the
> cache when the password is changed.

Do you mean that you want to force your users to re-login when they
change their passwords?

> I've been looking through the doc and code and I've not yet found the
> cache or a way to flush it.

The "cached" value is really associated with the session. So, if you
invalidate the session, you will destroy this cache. Since the browser
will continue to send the (old) HTTP AUTH header, Tomcat will likely
react by vetoing the re-login and respond with a WWW-Authenticate
response header. The browser will then ask the user for credentials (the
familiar pop-up username/password dialog) and the user should be
re-logged-in.

If this isn't happening smoothly, you can issue a 401 response and
include a WWW-Authenticate header manually (along with a session
invalidation) to attempt to force a re-request of the user's credentials.

- -chris



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGeEqF9CaO5/Lv0PARAnaDAJ9l8d8w9RS9GyoiauS854v1DzIbaACggkwA
J9jFbniNwNu6yQP82duWhyk=
=icOa
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to