-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ken,
Ken Moore wrote: > Thanks! I thought it might be stored in the session. The servlet specification does not dictate where this information is stored. Since the spec does not state this, Tomcat intentionally does not store the information "in" the session. But you could expect that a session is more or less directly related to this information. > Our web app mainly supports web services. We are pretty much stateless > on the app server and don't have the notion of logging in. We don't > explicitly do anything with sessions. It is very possible that sessions are being used without your knowledge. For instance, Tomcat /may/ use a session so that your credentials work. It may also use a JSESSIONID cookie without an actual session or something else entirely. JSPs and some other components can sometimes inadvertently create sessions. You might consider creating an HttpSessionListener to log session creations (with a stack trace) to see where they might be being created, if at all. > Instead, we use basic authentication and the credentials are supplied > with each web service request, in the standard http headers. The clients > are not browsers, they are other applications. > > If a password is changed, we need to ensure that any web service > requests sent in with old password are rejected. This makes a lot more sense. > I wonder if I've misunderstood the nature of the caching mentioned in > the realm how-to doc. It sounds as if the login module might be invoked > for each web service request. At any rate, it is time for me to do some > more digging and investigation. Generally, Tomcat will only validate the credentials once for a particular session. The WWW-Authenticate header will probably be compared to the "cached" value that includes a flag that says "yep, these creds have already been validated", so validation only occurs that one time. If you are issuing a WWW-Authenticate header to a web service, there's nothing for it to ask of a user, so my suggestion is probably worthless for your needs. Invalidating the session object itself /should/ work, but if HttpServletRequest.getSession(false) returns null, then I'm out of ideas ;) Good luck. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGeFTW9CaO5/Lv0PARAnRtAJ9kVmTO6bLTp6OzvNPWEqDNUAPh2ACdGpks cuneNLDe87cKEOjEuKJwBcg= =8kiy -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]