I'm a bit confused by the scope for authentication. For purposes of
discussion, assume that there is a sub-section of my web-app that is
protected via:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>somerole</role-name>
</auth-constraint>
</security-constraint>
If a user successfully authenticates to access a resource in the 'Protected
Area', and then subsequently requests a non-protected page, is the Container
required to report (via request.getUserPrincipal/request.getRemoteUser) the
authentication information that was used to access the 'Protected Area' for
the request to the non-protected page?
The remark in section 12.6 that the "servlet container is required to track
authentication information at the container level" (except that this is
qualified in the same sentence), and the remark in section 12.10 that a
'null' value for request.getUserPrincipal "indicates that a user is logged
out", would seem to say that the user needs to be tracked for the entire
web-app. However, I'm the first to admit to possibly reading more into this
than was intended.
I'm asking this, since at the moment Tomcat (and, therefore, presumably the
J2EE RI) does not track user authentication for requests to
non-authenticated pages. I'm hoping that this issue can be clarified in the
final draft of the 2.4 spec.
This message is intended only for the use of the person(s) listed above as the
intended recipient(s), and may contain information that is PRIVILEGED and
CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or
distribute this message or any attachment. If you received this communication in
error, please notify us immediately by e-mail and then delete all copies of this
message and any attachments.
In addition you should be aware that ordinary (unencrypted) e-mail sent through the
Internet is not secure. Do not send confidential or sensitive information, such as
social security numbers, account numbers, personal identification numbers and
passwords, to us via ordinary (unencrypted) e-mail.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
