-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Umesh,
On 5/8/2009 9:03 PM, umeshkavade wrote: > In my web application, I am using tomcat's form based authentication for > protecting my secure web pages. Thus whenever user starts accessing webapp > by providing an URL of protected page, it is redirected to login page. > However, while doing so it creates a session. I do not want my web > application to create a session until user logs into the system. Pid is right, you can't avoid this. Tomcat stores the original request that caused authentication to be triggered in the session. Technically, it's not stored in the session attributes (so you can't manipulate it), but it's definitely tied to the session. If you want to avoid session creation, you'll have to roll your own authentication mechanism. > I tried to figure out how form authenticator is working. I got source code > of FormAuthenticator at: > http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm You should get the source code from the actual source repository: http://svn.apache.org/repos/asf/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java > Is there any way to avoid this and tell tomcat to not create session. No, you'd have to write your own authentication mechanism. Tomcat is required to store the request that triggered authentication for re-play after a successful authentication. If not the request, where else should it be stored? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoIidsACgkQ9CaO5/Lv0PC2MgCgiHFPJfAotZX9ZSB89ADVt2r7 XT4AoLIq/Yo29sQOQM/DPDkDXqHARVR0 =A1z7 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
