Erik Rumppe wrote: > For right now I am using BASIC authentication. There are 3 roles > defined in the tomcat-users.xml file. To access different areas of my > application requires different levels of roles. I want my users to be > able to click on a link and if they don't meet the role requirement have > the Authentication Requested login box pop-up so someone with the proper > level of access can simply login right there and go to the requested > screen. Instead of this happening all I get is an HTTP error page > saying that the request resource is protected. The user then has to > close their browser and re-open it to log in as another user with a > different role. It would make sense to me that Tomcat has a way of > handling this issue, but I can't for the life of me find it. HELP!!!!
There is no way built in to handle this since this is how BASIC authentication is meant to work. > I have also tried to simply implement a logout function that removes the > current session and (supposedly) deletes the persistent cookie and > presents the user with a screen that has a link to a page that requires > a login. It should (IMHO) present them with the login box once they > click the link since the session and cookie were removed, but it > doesn't. I've monitored the Tomcat sessions through the manager > application and I know that the session is being removed for sure but it > doesn't seem that the cookie is being removed. Here is the code for the > utility that removes the session and cookie: The cookie isn't relevant. The root cause is that the browser is caching the credentials and presenting them along with all requests. There are some hacks to get around this but there aren't pretty. See https://issues.apache.org/bugzilla/show_bug.cgi?id=44299 for a summary. I never did get around to implementing any of them. It is still on the todo list. You could also look at switching to form authentication. Mark --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
