Hi Christopher, Thanks! I thought it might be stored in the session.
Our web app mainly supports web services. We are pretty much stateless on the app server and don't have the notion of logging in. We don't explicitly do anything with sessions. Instead, we use basic authentication and the credentials are supplied with each web service request, in the standard http headers. The clients are not browsers, they are other applications. If a password is changed, we need to ensure that any web service requests sent in with old password are rejected. I wonder if I've misunderstood the nature of the caching mentioned in the realm how-to doc. It sounds as if the login module might be invoked for each web service request. At any rate, it is time for me to do some more digging and investigation. Thanks again. -----Original Message----- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 19, 2007 2:29 PM To: Tomcat Users List Subject: Re: how to flush cache of authenticated users -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken, Ken Moore wrote: > We use basic authentication for web services. I'd like to flush the > cache when the password is changed. Do you mean that you want to force your users to re-login when they change their passwords? > I've been looking through the doc and code and I've not yet found the > cache or a way to flush it. The "cached" value is really associated with the session. So, if you invalidate the session, you will destroy this cache. Since the browser will continue to send the (old) HTTP AUTH header, Tomcat will likely react by vetoing the re-login and respond with a WWW-Authenticate response header. The browser will then ask the user for credentials (the familiar pop-up username/password dialog) and the user should be re-logged-in. If this isn't happening smoothly, you can issue a 401 response and include a WWW-Authenticate header manually (along with a session invalidation) to attempt to force a re-request of the user's credentials. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGeEqF9CaO5/Lv0PARAnaDAJ9l8d8w9RS9GyoiauS854v1DzIbaACggkwA J9jFbniNwNu6yQP82duWhyk= =icOa -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]