-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 André,
On 5/29/15 2:47 AM, André Warnier wrote: > Leonid Rozenblyum wrote: >> Hello, Christopher! I indeed meant this "The Tomcat restart >> between showing and submitting the login page is the source of >> the problem." >> >> Your explanation clarifies the core of the issue well! >> >> I'll dig into the Tomcat documentation deeper to find out how to >> inject that custom login handler. >> >> Thanks! >> >> On Thu, May 28, 2015 at 6:49 PM, Christopher Schultz >> <ch...@christopherschultz.net> wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >>> >>> Mark, >>> >>> On 5/28/15 5:29 AM, Mark Thomas wrote: >>>> On 28/05/2015 10:22, Leonid Rozenblyum wrote: >>>>> Hello experts. >>>>> >>>>> We are using FormAuthenticator and face a following issue: >>>>> >>>>> 1) Session persistence is disabled 2) User is on login page >>>>> 3) Restart Tomcat 4) User tries authentication >>>>> >>>>> He receives error 400 or 408. >>>>> >>>>> While digging deeper we discovered that in this case >>>>> Tomcat validates session id and if it's old/invalid - >>>>> prevents logging-in even though valid credentials are >>>>> passed. >>>>> >>>>> We tried landingPage solution - it looks better than error >>>>> 400/408 but anyway it forces user to enter credentials >>>>> twice (or we don't know how to pass credentials to >>>>> landingPage implicitly). >>>>> >>>>> We think that an improvement of user experience would be : >>>>> >>>>> FormAuthenticator: 255 if (session == null) { session = >>>>> request.getSessionInternal(false); } >>>>> >>>>> ==> if (session == null) { session = >>>>> request.getSessionInternal(true); } >>>>> >>>>> So if session is invalid or missing - simply create it. >>>>> >>>>> Does this idea make sense? >>>> No. It makes no sense at all. >>>> >>>>> Can we achieve the goal of not forcing user entering >>>>> credentials twice without changes in Tomcat ? >>>> No. The credentials are stored in the session. If you >>>> restart Tomcat with session persistence disabled those >>>> credentials are lost and the user is going to have to >>>> re-enter them. >>> I think the OP is saying that the credentials are only entered >>> a single time. The Tomcat restart between showing and >>> submitting the login page is the source of the problem. >>> >>> Leonid, the servlet spec is very clear about the workflow for >>> authentication: the client must request a protected resource, >>> then the container challenges the client for authentication >>> (shows the login page), and then the client must submit valid >>> credentials (send a request to j_security_check). After that, >>> the container must re-process the client's original request >>> with the newly-authenticated principal. >>> >>> Tomcat stores the original request in the session. If you lose >>> your session between presenting the login page and submitting >>> the credentials, Tomcat has no way to re-process the original >>> request. >>> >>> IMO, this is a hole in the spec, because it doesn't allow >>> people to login simply because they want to; instead, they must >>> first attempt to reach a protected resource. >>> >>> If you want your users to be able to login without requesting >>> a protected resource, you may write your own login-handler and >>> call ServletRequest.login(). That way, you won't require a >>> session to exist during that whole workflow. >>> >>> - -chris > > It all begs the question, by pure curiosity if nothing else, of > how often the OP restarts his Tomcat, that this issue seems to > bother him so. Last time I looked, my 20-odd Tomcats had been > running for some 240 days or so. ... then they are overdue for an upgrade ;) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVaLlQAAoJEBzwKT+lPKRYOewP/3lqUehWgT5s6SjDVRw/sxtS SbCUGEL5UrRjUnTZ9v9emsUFsq6ZO/agXJ6c2sgcJQW/MIC4rprvndvh7r+aSTs6 68H25F037Lg9GyNe9qZVCg49MMPF4BBfuIOfSRkP2uEZ0lIxge0tE54+rqlcZgvK jx5A1A71aEg58tbJeaeCUiRrXdlznlajwcUEl6n5KR6YKNntVax/TeJ68Y9/RA6l yT2E+9EarNeTaQ8MdkihUb9g7t9z7x4IzkA3RCa5ZQ7FicAzX3A0AC3Rd4Wi/eI2 I7CmPcV7CHtPuuVfAyeqEtOU2QRzPZb4GDt8rGDvwT8H7tsXBf+YpyIK+vEYcC/u U0dRq0/9dtUCJhxYIIyub8wrLB5XIVIAVN1KvI+Vis27oXMPp+OwLVsVCy4p6WEP HK/I3faqIspw5lRBB3TIMA7s7jWliai/G1vC/koIuNBNL5wbOcmsDKDKd1sfkbpq ZfT5uRdfBdKdRYTkpoupOScgLBuhb6LW7U75nvmaN5T0Uk5eEwU1+OC2LCwK42bJ CCtY59qUz/5G+mvgDIODipQuOZxmk2mz67lvRheASskD58zUrk0F7OAeVB9KBIUR ahD6fANtAmR5TINj+ZZI7yvjxl1jqwE3fzl4QwfLOx9ZbBCH9Ic8y3iqRk4mUgEq ZR2bLVBn3SIePIT5HLar =xXzw -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org