subject:"j_username in session cookie \- where did it go\?"

Re: j_username in session cookie - where did it go?

2002-08-14 Thread Milt Epstein


On Wed, 14 Aug 2002, Ed Thompson wrote:

> It defaults to true, and I don't have it explicitly set.

Yeah, but what I was saying is that sometimes you need it to be false
(i.e. you need to explicitly set it to false).


> I got getRemoteUser to work, now I just need to find a password
> passing strategy...

If you got getRemoteUser to work, then the above is not the problem.
As to a password passing strategy, I suggest heeding Craig's advice.


> - Original Message -
> From: "Milt Epstein" <[EMAIL PROTECTED]>
> To: "Tomcat Users List" <[EMAIL PROTECTED]>
> Sent: Wednesday, August 14, 2002 7:54 PM
> Subject: Re: j_username in session cookie - where did it go?
>
>
> > On Wed, 14 Aug 2002, Ed Thompson wrote:
> >
> > > OK, exploring the alternatives -
> > >
> > > I authenticate, then I  call the snoop.jsp in the tomcat examples
> > > directory, and it indicates remote User is null.
> > >
> > > Am I missing something else?
> >
> > Are you doing this through Apache, or Tomcat standalone?  If the
> > former, do you have tomcatAuthentication="false" in your Connector tag
> > in your server.xml?  I had to put that in there for the AJP connector
> > in order to get this to work.
> >
> >
> > > - Original Message -
> > > From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> > > To: "Tomcat Users List" <[EMAIL PROTECTED]>
> > > Sent: Tuesday, August 13, 2002 10:41 PM
> > > Subject: Re: j_username in session cookie - where did it go?
> > >
> > >
> > > >
> > > >
> > > > On Tue, 13 Aug 2002, Ed Thompson wrote:
> > > >
> > > > > Date: Tue, 13 Aug 2002 21:57:53 -0400
> > > > > From: Ed Thompson <[EMAIL PROTECTED]>
> > > > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > > > > To: Tomcat Users List <[EMAIL PROTECTED]>
> > > > > Subject: j_username in session cookie - where did it go?
> > > > >
> > > > > I have just upgraded (uninstalled and reintsalled) from Tomcat 3.2
> to
> > > > > Tomcat 4.0.4.
> > > > >
> > > > > I am using form based authentication, and found under 3.2 I could
> pull
> > > > > j_username out of the session cookie after authenticaion was done.
> > > > >
> > > >
> > > > That's not how it really worked under 3.2, although if you are using
> BASIC
> > > > authentication you could decode the username out of the
> "Authorization"
> > > > header.
> > > >
> > > > > Now under Tomcat 4 it doesn't seem to be there.  I know I tried it
> under
> > > > > Tomcat 4.0.1 before I upgraded and it worked, but not after
> uninstalling
> > > 3.2
> > > > > and installing 4.0.4 from scratch..
> > > > >
> > > > > Can anyone shed light on what is (not) happening?  Have the rules
> > > changed or
> > > > > have I not cfg'd something properly?
> > > > >
> > > >
> > > > The portable way to get ahold of the authenticated username is to call
> > > > request.getRemoteUser().  See the servlet spec for more details on
> > > > container managed security:
> > > >
> > > > http://java.sun.com/products/servlet/download.html
> > > >
> > > > > Thanx!
> > > > > Ed
> > > >
> > > > Craig
> > > >
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > > > For additional commands, e-mail:
> > > <mailto:[EMAIL PROTECTED]>
> > > >
> > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > >
> >
> > Milt Epstein
> > Research Programmer
> > Systems and Technology Services (STS)
> > Campus Information Technologies and Educational Services (CITES)
> > University of Illinois at Urbana-Champaign (UIUC)
> > [EMAIL PROTECTED]
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >
>
>
>
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>

Milt Epstein
Research Programmer
Systems and Technology Services (STS)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)
[EMAIL PROTECTED]


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: j_username in session cookie - where did it go?

2002-08-14 Thread Ed Thompson


It defaults to true, and I don't have it explicitly set.

I got getRemoteUser to work, now I just need to find a password passing
strategy...

- Original Message -
From: "Milt Epstein" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Wednesday, August 14, 2002 7:54 PM
Subject: Re: j_username in session cookie - where did it go?


> On Wed, 14 Aug 2002, Ed Thompson wrote:
>
> > OK, exploring the alternatives -
> >
> > I authenticate, then I  call the snoop.jsp in the tomcat examples
> > directory, and it indicates remote User is null.
> >
> > Am I missing something else?
>
> Are you doing this through Apache, or Tomcat standalone?  If the
> former, do you have tomcatAuthentication="false" in your Connector tag
> in your server.xml?  I had to put that in there for the AJP connector
> in order to get this to work.
>
>
> > - Original Message -
> > From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> > To: "Tomcat Users List" <[EMAIL PROTECTED]>
> > Sent: Tuesday, August 13, 2002 10:41 PM
> > Subject: Re: j_username in session cookie - where did it go?
> >
> >
> > >
> > >
> > > On Tue, 13 Aug 2002, Ed Thompson wrote:
> > >
> > > > Date: Tue, 13 Aug 2002 21:57:53 -0400
> > > > From: Ed Thompson <[EMAIL PROTECTED]>
> > > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > > > To: Tomcat Users List <[EMAIL PROTECTED]>
> > > > Subject: j_username in session cookie - where did it go?
> > > >
> > > > I have just upgraded (uninstalled and reintsalled) from Tomcat 3.2
to
> > > > Tomcat 4.0.4.
> > > >
> > > > I am using form based authentication, and found under 3.2 I could
pull
> > > > j_username out of the session cookie after authenticaion was done.
> > > >
> > >
> > > That's not how it really worked under 3.2, although if you are using
BASIC
> > > authentication you could decode the username out of the
"Authorization"
> > > header.
> > >
> > > > Now under Tomcat 4 it doesn't seem to be there.  I know I tried it
under
> > > > Tomcat 4.0.1 before I upgraded and it worked, but not after
uninstalling
> > 3.2
> > > > and installing 4.0.4 from scratch..
> > > >
> > > > Can anyone shed light on what is (not) happening?  Have the rules
> > changed or
> > > > have I not cfg'd something properly?
> > > >
> > >
> > > The portable way to get ahold of the authenticated username is to call
> > > request.getRemoteUser().  See the servlet spec for more details on
> > > container managed security:
> > >
> > > http://java.sun.com/products/servlet/download.html
> > >
> > > > Thanx!
> > > > Ed
> > >
> > > Craig
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > >
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
> >
>
> Milt Epstein
> Research Programmer
> Systems and Technology Services (STS)
> Campus Information Technologies and Educational Services (CITES)
> University of Illinois at Urbana-Champaign (UIUC)
> [EMAIL PROTECTED]
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: j_username in session cookie - where did it go?

2002-08-14 Thread Craig R. McClanahan




On Wed, 14 Aug 2002, Ed Thompson wrote:

> Date: Wed, 14 Aug 2002 19:27:03 -0400
> From: Ed Thompson <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Re: j_username in session cookie - where did it go?
>
> OK, exploring the alternatives -
>
> I authenticate, then I  call the snoop.jsp in the tomcat examples directory,
> and it indicates remote User is null.
>
> Am I missing something else?
>

Authentication is per-webapp unless you turn on the Single Sign On
feature.  See "http://localhost:8080/tomcat-docs/config/host.html"; for
more about single sign on (under Special Features).

Craig


> - Original Message -
> From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> To: "Tomcat Users List" <[EMAIL PROTECTED]>
> Sent: Tuesday, August 13, 2002 10:41 PM
> Subject: Re: j_username in session cookie - where did it go?
>
>
> >
> >
> > On Tue, 13 Aug 2002, Ed Thompson wrote:
> >
> > > Date: Tue, 13 Aug 2002 21:57:53 -0400
> > > From: Ed Thompson <[EMAIL PROTECTED]>
> > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > > To: Tomcat Users List <[EMAIL PROTECTED]>
> > > Subject: j_username in session cookie - where did it go?
> > >
> > > I have just upgraded (uninstalled and reintsalled) from Tomcat 3.2 to
> > > Tomcat 4.0.4.
> > >
> > > I am using form based authentication, and found under 3.2 I could pull
> > > j_username out of the session cookie after authenticaion was done.
> > >
> >
> > That's not how it really worked under 3.2, although if you are using BASIC
> > authentication you could decode the username out of the "Authorization"
> > header.
> >
> > > Now under Tomcat 4 it doesn't seem to be there.  I know I tried it under
> > > Tomcat 4.0.1 before I upgraded and it worked, but not after uninstalling
> 3.2
> > > and installing 4.0.4 from scratch..
> > >
> > > Can anyone shed light on what is (not) happening?  Have the rules
> changed or
> > > have I not cfg'd something properly?
> > >
> >
> > The portable way to get ahold of the authenticated username is to call
> > request.getRemoteUser().  See the servlet spec for more details on
> > container managed security:
> >
> > http://java.sun.com/products/servlet/download.html
> >
> > > Thanx!
> > > Ed
> >
> > Craig
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >
>
>
>
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: j_username in session cookie - where did it go?

2002-08-14 Thread Milt Epstein


On Wed, 14 Aug 2002, Ed Thompson wrote:

> OK, exploring the alternatives -
>
> I authenticate, then I  call the snoop.jsp in the tomcat examples
> directory, and it indicates remote User is null.
>
> Am I missing something else?

Are you doing this through Apache, or Tomcat standalone?  If the
former, do you have tomcatAuthentication="false" in your Connector tag
in your server.xml?  I had to put that in there for the AJP connector
in order to get this to work.


> - Original Message -
> From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> To: "Tomcat Users List" <[EMAIL PROTECTED]>
> Sent: Tuesday, August 13, 2002 10:41 PM
> Subject: Re: j_username in session cookie - where did it go?
>
>
> >
> >
> > On Tue, 13 Aug 2002, Ed Thompson wrote:
> >
> > > Date: Tue, 13 Aug 2002 21:57:53 -0400
> > > From: Ed Thompson <[EMAIL PROTECTED]>
> > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > > To: Tomcat Users List <[EMAIL PROTECTED]>
> > > Subject: j_username in session cookie - where did it go?
> > >
> > > I have just upgraded (uninstalled and reintsalled) from Tomcat 3.2 to
> > > Tomcat 4.0.4.
> > >
> > > I am using form based authentication, and found under 3.2 I could pull
> > > j_username out of the session cookie after authenticaion was done.
> > >
> >
> > That's not how it really worked under 3.2, although if you are using BASIC
> > authentication you could decode the username out of the "Authorization"
> > header.
> >
> > > Now under Tomcat 4 it doesn't seem to be there.  I know I tried it under
> > > Tomcat 4.0.1 before I upgraded and it worked, but not after uninstalling
> 3.2
> > > and installing 4.0.4 from scratch..
> > >
> > > Can anyone shed light on what is (not) happening?  Have the rules
> changed or
> > > have I not cfg'd something properly?
> > >
> >
> > The portable way to get ahold of the authenticated username is to call
> > request.getRemoteUser().  See the servlet spec for more details on
> > container managed security:
> >
> > http://java.sun.com/products/servlet/download.html
> >
> > > Thanx!
> > > Ed
> >
> > Craig
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >
>
>
>
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>

Milt Epstein
Research Programmer
Systems and Technology Services (STS)
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign (UIUC)
[EMAIL PROTECTED]


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: j_username in session cookie - where did it go?

2002-08-14 Thread Ed Thompson


OK, exploring the alternatives -

I authenticate, then I  call the snoop.jsp in the tomcat examples directory,
and it indicates remote User is null.

Am I missing something else?

- Original Message -
From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Tuesday, August 13, 2002 10:41 PM
Subject: Re: j_username in session cookie - where did it go?


>
>
> On Tue, 13 Aug 2002, Ed Thompson wrote:
>
> > Date: Tue, 13 Aug 2002 21:57:53 -0400
> > From: Ed Thompson <[EMAIL PROTECTED]>
> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > To: Tomcat Users List <[EMAIL PROTECTED]>
> > Subject: j_username in session cookie - where did it go?
> >
> > I have just upgraded (uninstalled and reintsalled) from Tomcat 3.2 to
> > Tomcat 4.0.4.
> >
> > I am using form based authentication, and found under 3.2 I could pull
> > j_username out of the session cookie after authenticaion was done.
> >
>
> That's not how it really worked under 3.2, although if you are using BASIC
> authentication you could decode the username out of the "Authorization"
> header.
>
> > Now under Tomcat 4 it doesn't seem to be there.  I know I tried it under
> > Tomcat 4.0.1 before I upgraded and it worked, but not after uninstalling
3.2
> > and installing 4.0.4 from scratch..
> >
> > Can anyone shed light on what is (not) happening?  Have the rules
changed or
> > have I not cfg'd something properly?
> >
>
> The portable way to get ahold of the authenticated username is to call
> request.getRemoteUser().  See the servlet spec for more details on
> container managed security:
>
> http://java.sun.com/products/servlet/download.html
>
> > Thanx!
> > Ed
>
> Craig
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: j_username in session cookie - where did it go?

2002-08-14 Thread Craig R. McClanahan




On Wed, 14 Aug 2002, Mark Schmeets wrote:

> Date: Wed, 14 Aug 2002 15:12:08 -0400
> From: Mark Schmeets <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: RE: j_username in session cookie - where did it go?
>
> Thanks Craig.
> Don't mean to take this too far off topic, and am not trying to start a
> flame with it. I am curious as to why this is a non-portable feature. Or is
> that what you mean. That it is an implementation artifact of Tomcat and not
> in the servlet spec?

The fact that Tomcat 3.x exposed j_username and j_password as attributes
is absolutely, positively an implementation artifact of that particular
version of Tomcat.  The fact that the attribute names didn't start with
"javax.servlet" should have been your first clue.

To see what *is* in the spec, you need to get the spec:

  http://java.sun.com/products/servlet/download.html

and read what Section 12.5.3 has to say about how form based login works.
Nothing outside this list of behaviors is at all portable.

> I think there are a lot of options, this was just one. Certainly you could
> auth at the webapp and use the username to do a look up somewhere else for
> database creds. But forms auth can also be useful (assuming https). I
> "rolled my own" becuase the container didn't provide what I needed, and that
> is the way it should be. But the whole idea here is to keep the security at
> the database, so people in the organization can't mess around with it.
>

It sounds like you might be better off doing "roll your own"
authentication for the webapp as well, and not just the database.  That
way, your own implementation of form-based security can do what you need.

Craig


> -Original Message-
> From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, August 14, 2002 2:28 PM
> To: Tomcat Users List
> Subject: RE: j_username in session cookie - where did it go?
>
>
>
>
> On Wed, 14 Aug 2002, Mark Schmeets wrote:
>
> > Date: Wed, 14 Aug 2002 13:47:48 -0400
> > From: Mark Schmeets <[EMAIL PROTECTED]>
> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > To: Tomcat Users List <[EMAIL PROTECTED]>
> > Subject: RE: j_username in session cookie - where did it go?
> >
> > Well, I know there are a lot of other ways of doing this, but having the
> > username and password from forms auth makes it very simple. The username
> and
> > password are for the database. The servlet app isn't necessarily the only
> > app to access certain data, there may well be some legacy and
> client-server
> > apps too. Besides, some architects like to keep security at the database
> > level.
> > I didn't mean to suggest that there aren't other ways, just that Craig's
> > suggestion sounded pretty severe.
> >
>
> Sorry ... but that's the kind of thing that happens when you depend on
> non-portable features of one particular version of one servlet container.
>
> Of course, the idea of using the same username/password for access to the
> webapp (where any network snooper can read them) *and* the database (where
> anyone inside your organization can cause all sorts of mischief) doesn't
> sound like a real secure design in the first place, but that's a whole
> different discussion.
>
> Craig
>
>
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
>
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: j_username in session cookie - where did it go?

2002-08-14 Thread Mark Schmeets

Thanks Craig.
Don't mean to take this too far off topic, and am not trying to start a
flame with it. I am curious as to why this is a non-portable feature. Or is
that what you mean. That it is an implementation artifact of Tomcat and not
in the servlet spec?
I think there are a lot of options, this was just one. Certainly you could
auth at the webapp and use the username to do a look up somewhere else for
database creds. But forms auth can also be useful (assuming https). I
"rolled my own" becuase the container didn't provide what I needed, and that
is the way it should be. But the whole idea here is to keep the security at
the database, so people in the organization can't mess around with it.

-Original Message-
From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 14, 2002 2:28 PM
To: Tomcat Users List
Subject: RE: j_username in session cookie - where did it go?

On Wed, 14 Aug 2002, Mark Schmeets wrote:

> Date: Wed, 14 Aug 2002 13:47:48 -0400
> From: Mark Schmeets <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: RE: j_username in session cookie - where did it go?
>
> Well, I know there are a lot of other ways of doing this, but having the
> username and password from forms auth makes it very simple. The username
and
> password are for the database. The servlet app isn't necessarily the only
> app to access certain data, there may well be some legacy and
client-server
> apps too. Besides, some architects like to keep security at the database
> level.
> I didn't mean to suggest that there aren't other ways, just that Craig's
> suggestion sounded pretty severe.
>

Sorry ... but that's the kind of thing that happens when you depend on
non-portable features of one particular version of one servlet container.

Of course, the idea of using the same username/password for access to the
webapp (where any network snooper can read them) *and* the database (where
anyone inside your organization can cause all sorts of mischief) doesn't
sound like a real secure design in the first place, but that's a whole
different discussion.

Craig

--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: j_username in session cookie - where did it go?

2002-08-14 Thread Craig R. McClanahan

On Wed, 14 Aug 2002, Mark Schmeets wrote:

> Date: Wed, 14 Aug 2002 13:47:48 -0400
> From: Mark Schmeets <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: RE: j_username in session cookie - where did it go?
>
> Well, I know there are a lot of other ways of doing this, but having the
> username and password from forms auth makes it very simple. The username and
> password are for the database. The servlet app isn't necessarily the only
> app to access certain data, there may well be some legacy and client-server
> apps too. Besides, some architects like to keep security at the database
> level.
> I didn't mean to suggest that there aren't other ways, just that Craig's
> suggestion sounded pretty severe.
>

Sorry ... but that's the kind of thing that happens when you depend on
non-portable features of one particular version of one servlet container.

Of course, the idea of using the same username/password for access to the
webapp (where any network snooper can read them) *and* the database (where
anyone inside your organization can cause all sorts of mischief) doesn't
sound like a real secure design in the first place, but that's a whole
different discussion.

Craig

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: j_username in session cookie - where did it go?

2002-08-14 Thread Mark Schmeets


Well, I know there are a lot of other ways of doing this, but having the
username and password from forms auth makes it very simple. The username and
password are for the database. The servlet app isn't necessarily the only
app to access certain data, there may well be some legacy and client-server
apps too. Besides, some architects like to keep security at the database
level.
I didn't mean to suggest that there aren't other ways, just that Craig's
suggestion sounded pretty severe.



-Original Message-
From: Ralph Einfeldt [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 14, 2002 12:18 PM
To: Tomcat Users List
Subject: AW: j_username in session cookie - where did it go?


Was has the security on the data level to do with Craigs answer?

The container makes the authentication, that is it checks the
username and password against a Realm. After that the application
knows who is logged in and which roles this user has. That's
the only thin that a application needs to show or not show any
information.

For what do you need a password on this level or j_username ?


> -Ursprüngliche Nachricht-
> Von: Mark Schmeets [mailto:[EMAIL PROTECTED]]
> Gesendet: Mittwoch, 14. August 2002 16:54
> An: Tomcat Users List
> Betreff: RE: j_username in session cookie - where did it go?
>
>
> whoa, that seems like a very oversimplified answer. Some of us require
> security at the data level too. A "solution" like that makes Tomcat's
> authentication useless in that situation...
>
>
> Mark
>
>
> -Original Message-
> From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 13, 2002 11:11 PM
> To: Tomcat Users List
> Subject: Re: j_username in session cookie - where did it go?
>
>
>
>
> On Tue, 13 Aug 2002, Ed Thompson wrote:
>
> > Date: Tue, 13 Aug 2002 22:56:32 -0400
> > From: Ed Thompson <[EMAIL PROTECTED]>
> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > To: Tomcat Users List <[EMAIL PROTECTED]>
> > Subject: Re: j_username in session cookie - where did it go?
> >
> > I was also scrapping the password - used j_userbane and
> j_passwd  for
> > database access.
> >
>
> There is no portable way to do that.  And Tomcat 4 does not
> expose them,
> because the password because it is none of the app's business
> -- the user
> is either authenticated or not.
>
> > Any hints on that one?
>
> Re-architect your app so that it needs only the username.
>
> Craig
>
>
> >
> > - Original Message -
> > From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> > To: "Tomcat Users List" <[EMAIL PROTECTED]>
> > Sent: Tuesday, August 13, 2002 10:41 PM
> > Subject: Re: j_username in session cookie - where did it go?
> >
> >
> > >
> > >
> > > On Tue, 13 Aug 2002, Ed Thompson wrote:
> > >
> > > > Date: Tue, 13 Aug 2002 21:57:53 -0400
> > > > From: Ed Thompson <[EMAIL PROTECTED]>
> > > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > > > To: Tomcat Users List <[EMAIL PROTECTED]>
> > > > Subject: j_username in session cookie - where did it go?
> > > >
> > > > I have just upgraded (uninstalled and reintsalled) from
> Tomcat 3.2 to
> > > > Tomcat 4.0.4.
> > > >
> > > > I am using form based authentication, and found under
> 3.2 I could pull
> > > > j_username out of the session cookie after
> authenticaion was done.
> > > >
> > >
> > > That's not how it really worked under 3.2, although if
> you are using
> BASIC
> > > authentication you could decode the username out of the
> "Authorization"
> > > header.
> > >
> > > > Now under Tomcat 4 it doesn't seem to be there.  I know
> I tried it
> under
> > > > Tomcat 4.0.1 before I upgraded and it worked, but not after
> uninstalling
> > 3.2
> > > > and installing 4.0.4 from scratch..
> > > >
> > > > Can anyone shed light on what is (not) happening?  Have
> the rules
> > changed or
> > > > have I not cfg'd something properly?
> > > >
> > >
> > > The portable way to get ahold of the authenticated
> username is to call
> > > request.getRemoteUser().  See the servlet spec for more details on
> > > container managed security:
> > >
> > > http://java.sun.com/products/servlet/download.html
> > >
> > > > Thanx!
> > > > Ed
> > >
> > > Craig
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > >
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >
> >
>
>
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>



--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: j_username in session cookie - where did it go?

2002-08-14 Thread Craig R. McClanahan




On Wed, 14 Aug 2002, Mark Schmeets wrote:

> Date: Wed, 14 Aug 2002 10:54:04 -0400
> From: Mark Schmeets <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: RE: j_username in session cookie - where did it go?
>
> whoa, that seems like a very oversimplified answer. Some of us require
> security at the data level too. A "solution" like that makes Tomcat's
> authentication useless in that situation...
>

If you base your data security on the fact that the container has already
authenticated the user (and if you trust the container), why do you need
the password again?  You already know who the user is, and you can find
out if he/she has a particular role used to protect the data you are
checking for access rights to.

>
> Mark

Craig


>
>
> -Original Message-
> From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 13, 2002 11:11 PM
> To: Tomcat Users List
> Subject: Re: j_username in session cookie - where did it go?
>
>
>
>
> On Tue, 13 Aug 2002, Ed Thompson wrote:
>
> > Date: Tue, 13 Aug 2002 22:56:32 -0400
> > From: Ed Thompson <[EMAIL PROTECTED]>
> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > To: Tomcat Users List <[EMAIL PROTECTED]>
> > Subject: Re: j_username in session cookie - where did it go?
> >
> > I was also scrapping the password - used j_userbane and j_passwd  for
> > database access.
> >
>
> There is no portable way to do that.  And Tomcat 4 does not expose them,
> because the password because it is none of the app's business -- the user
> is either authenticated or not.
>
> > Any hints on that one?
>
> Re-architect your app so that it needs only the username.
>
> Craig
>
>
> >
> > - Original Message -
> > From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> > To: "Tomcat Users List" <[EMAIL PROTECTED]>
> > Sent: Tuesday, August 13, 2002 10:41 PM
> > Subject: Re: j_username in session cookie - where did it go?
> >
> >
> > >
> > >
> > > On Tue, 13 Aug 2002, Ed Thompson wrote:
> > >
> > > > Date: Tue, 13 Aug 2002 21:57:53 -0400
> > > > From: Ed Thompson <[EMAIL PROTECTED]>
> > > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > > > To: Tomcat Users List <[EMAIL PROTECTED]>
> > > > Subject: j_username in session cookie - where did it go?
> > > >
> > > > I have just upgraded (uninstalled and reintsalled) from Tomcat 3.2 to
> > > > Tomcat 4.0.4.
> > > >
> > > > I am using form based authentication, and found under 3.2 I could pull
> > > > j_username out of the session cookie after authenticaion was done.
> > > >
> > >
> > > That's not how it really worked under 3.2, although if you are using
> BASIC
> > > authentication you could decode the username out of the "Authorization"
> > > header.
> > >
> > > > Now under Tomcat 4 it doesn't seem to be there.  I know I tried it
> under
> > > > Tomcat 4.0.1 before I upgraded and it worked, but not after
> uninstalling
> > 3.2
> > > > and installing 4.0.4 from scratch..
> > > >
> > > > Can anyone shed light on what is (not) happening?  Have the rules
> > changed or
> > > > have I not cfg'd something properly?
> > > >
> > >
> > > The portable way to get ahold of the authenticated username is to call
> > > request.getRemoteUser().  See the servlet spec for more details on
> > > container managed security:
> > >
> > > http://java.sun.com/products/servlet/download.html
> > >
> > > > Thanx!
> > > > Ed
> > >
> > > Craig
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > >
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >
> >
>
>
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
>
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

AW: j_username in session cookie - where did it go?

2002-08-14 Thread Ralph Einfeldt


Was has the security on the data level to do with Craigs answer?

The container makes the authentication, that is it checks the 
username and password against a Realm. After that the application
knows who is logged in and which roles this user has. That's
the only thin that a application needs to show or not show any 
information.

For what do you need a password on this level or j_username ?


> -Ursprüngliche Nachricht-
> Von: Mark Schmeets [mailto:[EMAIL PROTECTED]]
> Gesendet: Mittwoch, 14. August 2002 16:54
> An: Tomcat Users List
> Betreff: RE: j_username in session cookie - where did it go?
> 
> 
> whoa, that seems like a very oversimplified answer. Some of us require
> security at the data level too. A "solution" like that makes Tomcat's
> authentication useless in that situation...
> 
> 
> Mark
> 
> 
> -Original Message-
> From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 13, 2002 11:11 PM
> To: Tomcat Users List
> Subject: Re: j_username in session cookie - where did it go?
> 
> 
> 
> 
> On Tue, 13 Aug 2002, Ed Thompson wrote:
> 
> > Date: Tue, 13 Aug 2002 22:56:32 -0400
> > From: Ed Thompson <[EMAIL PROTECTED]>
> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > To: Tomcat Users List <[EMAIL PROTECTED]>
> > Subject: Re: j_username in session cookie - where did it go?
> >
> > I was also scrapping the password - used j_userbane and 
> j_passwd  for
> > database access.
> >
> 
> There is no portable way to do that.  And Tomcat 4 does not 
> expose them,
> because the password because it is none of the app's business 
> -- the user
> is either authenticated or not.
> 
> > Any hints on that one?
> 
> Re-architect your app so that it needs only the username.
> 
> Craig
> 
> 
> >
> > - Original Message -
> > From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> > To: "Tomcat Users List" <[EMAIL PROTECTED]>
> > Sent: Tuesday, August 13, 2002 10:41 PM
> > Subject: Re: j_username in session cookie - where did it go?
> >
> >
> > >
> > >
> > > On Tue, 13 Aug 2002, Ed Thompson wrote:
> > >
> > > > Date: Tue, 13 Aug 2002 21:57:53 -0400
> > > > From: Ed Thompson <[EMAIL PROTECTED]>
> > > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > > > To: Tomcat Users List <[EMAIL PROTECTED]>
> > > > Subject: j_username in session cookie - where did it go?
> > > >
> > > > I have just upgraded (uninstalled and reintsalled) from 
> Tomcat 3.2 to
> > > > Tomcat 4.0.4.
> > > >
> > > > I am using form based authentication, and found under 
> 3.2 I could pull
> > > > j_username out of the session cookie after 
> authenticaion was done.
> > > >
> > >
> > > That's not how it really worked under 3.2, although if 
> you are using
> BASIC
> > > authentication you could decode the username out of the 
> "Authorization"
> > > header.
> > >
> > > > Now under Tomcat 4 it doesn't seem to be there.  I know 
> I tried it
> under
> > > > Tomcat 4.0.1 before I upgraded and it worked, but not after
> uninstalling
> > 3.2
> > > > and installing 4.0.4 from scratch..
> > > >
> > > > Can anyone shed light on what is (not) happening?  Have 
> the rules
> > changed or
> > > > have I not cfg'd something properly?
> > > >
> > >
> > > The portable way to get ahold of the authenticated 
> username is to call
> > > request.getRemoteUser().  See the servlet spec for more details on
> > > container managed security:
> > >
> > > http://java.sun.com/products/servlet/download.html
> > >
> > > > Thanx!
> > > > Ed
> > >
> > > Craig
> > >
> > >
> > > --
> > > To unsubscribe, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail:
> > <mailto:[EMAIL PROTECTED]>
> > >
> >
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >
> >
> 
> 
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> 
> 
> --
> To unsubscribe, e-mail:   
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: j_username in session cookie - where did it go?

2002-08-14 Thread Mark Schmeets


whoa, that seems like a very oversimplified answer. Some of us require
security at the data level too. A "solution" like that makes Tomcat's
authentication useless in that situation...


Mark


-Original Message-
From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 13, 2002 11:11 PM
To: Tomcat Users List
Subject: Re: j_username in session cookie - where did it go?




On Tue, 13 Aug 2002, Ed Thompson wrote:

> Date: Tue, 13 Aug 2002 22:56:32 -0400
> From: Ed Thompson <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Re: j_username in session cookie - where did it go?
>
> I was also scrapping the password - used j_userbane and j_passwd  for
> database access.
>

There is no portable way to do that.  And Tomcat 4 does not expose them,
because the password because it is none of the app's business -- the user
is either authenticated or not.

> Any hints on that one?

Re-architect your app so that it needs only the username.

Craig


>
> - Original Message -
> From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> To: "Tomcat Users List" <[EMAIL PROTECTED]>
> Sent: Tuesday, August 13, 2002 10:41 PM
> Subject: Re: j_username in session cookie - where did it go?
>
>
> >
> >
> > On Tue, 13 Aug 2002, Ed Thompson wrote:
> >
> > > Date: Tue, 13 Aug 2002 21:57:53 -0400
> > > From: Ed Thompson <[EMAIL PROTECTED]>
> > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > > To: Tomcat Users List <[EMAIL PROTECTED]>
> > > Subject: j_username in session cookie - where did it go?
> > >
> > > I have just upgraded (uninstalled and reintsalled) from Tomcat 3.2 to
> > > Tomcat 4.0.4.
> > >
> > > I am using form based authentication, and found under 3.2 I could pull
> > > j_username out of the session cookie after authenticaion was done.
> > >
> >
> > That's not how it really worked under 3.2, although if you are using
BASIC
> > authentication you could decode the username out of the "Authorization"
> > header.
> >
> > > Now under Tomcat 4 it doesn't seem to be there.  I know I tried it
under
> > > Tomcat 4.0.1 before I upgraded and it worked, but not after
uninstalling
> 3.2
> > > and installing 4.0.4 from scratch..
> > >
> > > Can anyone shed light on what is (not) happening?  Have the rules
> changed or
> > > have I not cfg'd something properly?
> > >
> >
> > The portable way to get ahold of the authenticated username is to call
> > request.getRemoteUser().  See the servlet spec for more details on
> > container managed security:
> >
> > http://java.sun.com/products/servlet/download.html
> >
> > > Thanx!
> > > Ed
> >
> > Craig
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >
>
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: j_username in session cookie - where did it go?

2002-08-13 Thread Craig R. McClanahan




On Tue, 13 Aug 2002, Ed Thompson wrote:

> Date: Tue, 13 Aug 2002 22:56:32 -0400
> From: Ed Thompson <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Re: j_username in session cookie - where did it go?
>
> I was also scrapping the password - used j_userbane and j_passwd  for
> database access.
>

There is no portable way to do that.  And Tomcat 4 does not expose them,
because the password because it is none of the app's business -- the user
is either authenticated or not.

> Any hints on that one?

Re-architect your app so that it needs only the username.

Craig


>
> - Original Message -
> From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
> To: "Tomcat Users List" <[EMAIL PROTECTED]>
> Sent: Tuesday, August 13, 2002 10:41 PM
> Subject: Re: j_username in session cookie - where did it go?
>
>
> >
> >
> > On Tue, 13 Aug 2002, Ed Thompson wrote:
> >
> > > Date: Tue, 13 Aug 2002 21:57:53 -0400
> > > From: Ed Thompson <[EMAIL PROTECTED]>
> > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > > To: Tomcat Users List <[EMAIL PROTECTED]>
> > > Subject: j_username in session cookie - where did it go?
> > >
> > > I have just upgraded (uninstalled and reintsalled) from Tomcat 3.2 to
> > > Tomcat 4.0.4.
> > >
> > > I am using form based authentication, and found under 3.2 I could pull
> > > j_username out of the session cookie after authenticaion was done.
> > >
> >
> > That's not how it really worked under 3.2, although if you are using BASIC
> > authentication you could decode the username out of the "Authorization"
> > header.
> >
> > > Now under Tomcat 4 it doesn't seem to be there.  I know I tried it under
> > > Tomcat 4.0.1 before I upgraded and it worked, but not after uninstalling
> 3.2
> > > and installing 4.0.4 from scratch..
> > >
> > > Can anyone shed light on what is (not) happening?  Have the rules
> changed or
> > > have I not cfg'd something properly?
> > >
> >
> > The portable way to get ahold of the authenticated username is to call
> > request.getRemoteUser().  See the servlet spec for more details on
> > container managed security:
> >
> > http://java.sun.com/products/servlet/download.html
> >
> > > Thanx!
> > > Ed
> >
> > Craig
> >
> >
> > --
> > To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> >
>
>
>
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: j_username in session cookie - where did it go?

2002-08-13 Thread Ed Thompson


I was also scrapping the password - used j_userbane and j_passwd  for
database access.

Any hints on that one?

- Original Message -
From: "Craig R. McClanahan" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Tuesday, August 13, 2002 10:41 PM
Subject: Re: j_username in session cookie - where did it go?


>
>
> On Tue, 13 Aug 2002, Ed Thompson wrote:
>
> > Date: Tue, 13 Aug 2002 21:57:53 -0400
> > From: Ed Thompson <[EMAIL PROTECTED]>
> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> > To: Tomcat Users List <[EMAIL PROTECTED]>
> > Subject: j_username in session cookie - where did it go?
> >
> > I have just upgraded (uninstalled and reintsalled) from Tomcat 3.2 to
> > Tomcat 4.0.4.
> >
> > I am using form based authentication, and found under 3.2 I could pull
> > j_username out of the session cookie after authenticaion was done.
> >
>
> That's not how it really worked under 3.2, although if you are using BASIC
> authentication you could decode the username out of the "Authorization"
> header.
>
> > Now under Tomcat 4 it doesn't seem to be there.  I know I tried it under
> > Tomcat 4.0.1 before I upgraded and it worked, but not after uninstalling
3.2
> > and installing 4.0.4 from scratch..
> >
> > Can anyone shed light on what is (not) happening?  Have the rules
changed or
> > have I not cfg'd something properly?
> >
>
> The portable way to get ahold of the authenticated username is to call
> request.getRemoteUser().  See the servlet spec for more details on
> container managed security:
>
> http://java.sun.com/products/servlet/download.html
>
> > Thanx!
> > Ed
>
> Craig
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: j_username in session cookie - where did it go?

2002-08-13 Thread Craig R. McClanahan




On Tue, 13 Aug 2002, Ed Thompson wrote:

> Date: Tue, 13 Aug 2002 21:57:53 -0400
> From: Ed Thompson <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: j_username in session cookie - where did it go?
>
> I have just upgraded (uninstalled and reintsalled) from Tomcat 3.2 to
> Tomcat 4.0.4.
>
> I am using form based authentication, and found under 3.2 I could pull
> j_username out of the session cookie after authenticaion was done.
>

That's not how it really worked under 3.2, although if you are using BASIC
authentication you could decode the username out of the "Authorization"
header.

> Now under Tomcat 4 it doesn't seem to be there.  I know I tried it under
> Tomcat 4.0.1 before I upgraded and it worked, but not after uninstalling 3.2
> and installing 4.0.4 from scratch..
>
> Can anyone shed light on what is (not) happening?  Have the rules changed or
> have I not cfg'd something properly?
>

The portable way to get ahold of the authenticated username is to call
request.getRemoteUser().  See the servlet spec for more details on
container managed security:

http://java.sun.com/products/servlet/download.html

> Thanx!
> Ed

Craig


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: j_username in session cookie - where did it go?

2002-08-13 Thread Ben Walding


It was possibly an undocumented (and not part of the spec) feature.

You should just use => request.getRemoteUser()

Where request is passed in through doGet(request, response)  or however 
that works in JSP.

Ed Thompson wrote:

>I have just upgraded (uninstalled and reintsalled) from Tomcat 3.2 to
>Tomcat 4.0.4.
>
>I am using form based authentication, and found under 3.2 I could pull
>j_username out of the session cookie after authenticaion was done.
>
>Now under Tomcat 4 it doesn't seem to be there.  I know I tried it under
>Tomcat 4.0.1 before I upgraded and it worked, but not after uninstalling 3.2
>and installing 4.0.4 from scratch..
>
>Can anyone shed light on what is (not) happening?  Have the rules changed or
>have I not cfg'd something properly?
>
>Thanx!
>Ed
>
>
>
>--
>To unsubscribe, e-mail:   
>For additional commands, e-mail: 
>
>
>  
>




--
To unsubscribe, e-mail:   
For additional commands, e-mail:

j_username in session cookie - where did it go?

2002-08-13 Thread Ed Thompson


I have just upgraded (uninstalled and reintsalled) from Tomcat 3.2 to
Tomcat 4.0.4.

I am using form based authentication, and found under 3.2 I could pull
j_username out of the session cookie after authenticaion was done.

Now under Tomcat 4 it doesn't seem to be there.  I know I tried it under
Tomcat 4.0.1 before I upgraded and it worked, but not after uninstalling 3.2
and installing 4.0.4 from scratch..

Can anyone shed light on what is (not) happening?  Have the rules changed or
have I not cfg'd something properly?

Thanx!
Ed



--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: j_username in session cookie - where did it go?

Re: j_username in session cookie - where did it go?

Re: j_username in session cookie - where did it go?

Re: j_username in session cookie - where did it go?

Re: j_username in session cookie - where did it go?

RE: j_username in session cookie - where did it go?

RE: j_username in session cookie - where did it go?

RE: j_username in session cookie - where did it go?

RE: j_username in session cookie - where did it go?

RE: j_username in session cookie - where did it go?

AW: j_username in session cookie - where did it go?

RE: j_username in session cookie - where did it go?

Re: j_username in session cookie - where did it go?

Re: j_username in session cookie - where did it go?

Re: j_username in session cookie - where did it go?

Re: j_username in session cookie - where did it go?

j_username in session cookie - where did it go?

17 matches

Site Navigation

Mail list logo

Footer information