-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ken,

Ken Moore wrote:
> Thanks! I thought it might be stored in the session.

The servlet specification does not dictate where this information is
stored. Since the spec does not state this, Tomcat intentionally does
not store the information "in" the session. But you could expect that a
session is more or less directly related to this information.

> Our web app mainly supports web services. We are pretty much stateless
> on the app server and don't have the notion of logging in. We don't
> explicitly do anything with sessions.

It is very possible that sessions are being used without your knowledge.
For instance, Tomcat /may/ use a session so that your credentials work.
It may also use a JSESSIONID cookie without an actual session or
something else entirely. JSPs and some other components can sometimes
inadvertently create sessions. You might consider creating an
HttpSessionListener to log session creations (with a stack trace) to see
where they might be being created, if at all.

> Instead, we use basic authentication and the credentials are supplied
> with each web service request, in the standard http headers. The clients
> are not browsers, they are other applications.
> 
> If a password is changed, we need to ensure that any web service
> requests sent in with old password are rejected.

This makes a lot more sense.

> I wonder if I've misunderstood the nature of the caching mentioned in
> the realm how-to doc. It sounds as if the login module might be invoked
> for each web service request. At any rate, it is time for me to do some
> more digging and investigation.

Generally, Tomcat will only validate the credentials once for a
particular session. The WWW-Authenticate header will probably be
compared to the "cached" value that includes a flag that says "yep,
these creds have already been validated", so validation only occurs that
one time.

If you are issuing a WWW-Authenticate header to a web service, there's
nothing for it to ask of a user, so my suggestion is probably worthless
for your needs. Invalidating the session object itself /should/ work,
but if HttpServletRequest.getSession(false) returns null, then I'm out
of ideas ;)

Good luck.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGeFTW9CaO5/Lv0PARAnRtAJ9kVmTO6bLTp6OzvNPWEqDNUAPh2ACdGpks
cuneNLDe87cKEOjEuKJwBcg=
=8kiy
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to