inline > -----Original Message----- > From: Curt Smith [mailto:[EMAIL PROTECTED]] > Sent: Martes, 28 de Agosto de 2001 18:04 > To: Orion-Interest > Subject: UserManager / BASIC auth; orion caching > username/password ???? > > > I've got a confusing issue that I'm observing: > > I'm using BASIC authorization and installed my subclass of > AbstractUserManger into > orion-application.xml. > > I get the HTTP challeng login dialogue the first time, and > get into the protected site > when my um.checkPassword ( user, pw ) returns true. > > Problems are: > > - After 3 failures I get sent to the 401 screen. I'd like > to loop forever in the > login dialog. non standard, check HTTP RFC > > ??? > > - The Security context seems to be cached and survives > re-starts of orion ?????? The browser does that; once a basic auth works, the same browser process will keep sending the same auth to the server for each auth challenge. > > I see the um.checkPassword () method being called with the > successful username > password in my log4j logs. Is the container supplying the > user/passwd without challenging > client???? This works for both IE and NS and I've turned > the auto-loggin features off for > IE. > > On one hand this is great for resilience, especially if > the session object is serialized too. > I haven't found any files that might be performing this > feature though??? > > On the down side, I can't force a session / Security > Context invalidation to force a new > login for debugging purposes. Stopping IE / NS and > restarting the client even jumps > back into the session without a HTTP challeng ??? I've > never seen this before? > > Why can't I find how to flush cookies in IE and NS... ;< > but this appears to be solely > an orion behavior and not using cookies to persist the > Security context??? > > > Anybody have an explanation of what's going on with this appearance of > auto-login behavior via my UserManager.checkPassword() method? > > very confused, > > curt > > >
