-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Léa,
On 11/4/11 12:04 PM, Léa Massiot wrote: > @Tim : Thank you for your answer. > >> [Tim wrote:] "Uncertain" is a bit vague. > Yes. Ok. This is my understanding which is "uncertain" then. What > happens is what you wrote: "a new session for the user with _none_ > of the objects from the old session in it". The new session created is completely empty. It has nothing to do with the user going back in the history, etc. If you have a lot of data in the request parameters that can keep the state of the workflow sane, then that's a different story. I always try to have enough information in the page (form) so that resuming a workflow after a session timeout is a possibility. This is something you will have to code into your own webapp: it's not something Tomcat can provide for you. >> [Tim wrote:] If every page in the web app is supposed to require >> authentication you need to declare that in web.xml. > Can you tell me how? Read-up on the servlet spec, specifically the "authentication and authorization" sections. Look for <security-constraint> and <auth-constraint> sections in web.xml. >> [Tim wrote:] I'm assuming (perhaps incorrectly) you've already >> got some declaration in there for form authentication? > What are you thinking about? Can you be more precise? If users are logging-into your webapp, presumably they are providing a username and password (or other credentials): where do you have that configured? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk60G7QACgkQ9CaO5/Lv0PDIlACgoqsUbBg77GjOYVIbSfkAMbQW I7AAoIXZVd5nMgT4v8fUeXnQTqcpJLmA =IxaF -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
