Was has the security on the data level to do with Craigs answer? The container makes the authentication, that is it checks the username and password against a Realm. After that the application knows who is logged in and which roles this user has. That's the only thin that a application needs to show or not show any information.
For what do you need a password on this level or j_username ? > -----Ursprüngliche Nachricht----- > Von: Mark Schmeets [mailto:[EMAIL PROTECTED]] > Gesendet: Mittwoch, 14. August 2002 16:54 > An: Tomcat Users List > Betreff: RE: j_username in session cookie - where did it go? > > > whoa, that seems like a very oversimplified answer. Some of us require > security at the data level too. A "solution" like that makes Tomcat's > authentication useless in that situation... > > > Mark > > > -----Original Message----- > From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, August 13, 2002 11:11 PM > To: Tomcat Users List > Subject: Re: j_username in session cookie - where did it go? > > > > > On Tue, 13 Aug 2002, Ed Thompson wrote: > > > Date: Tue, 13 Aug 2002 22:56:32 -0400 > > From: Ed Thompson <[EMAIL PROTECTED]> > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > > To: Tomcat Users List <[EMAIL PROTECTED]> > > Subject: Re: j_username in session cookie - where did it go? > > > > I was also scrapping the password - used j_userbane and > j_passwd for > > database access. > > > > There is no portable way to do that. And Tomcat 4 does not > expose them, > because the password because it is none of the app's business > -- the user > is either authenticated or not. > > > Any hints on that one? > > Re-architect your app so that it needs only the username. > > Craig > > > > > > ----- Original Message ----- > > From: "Craig R. McClanahan" <[EMAIL PROTECTED]> > > To: "Tomcat Users List" <[EMAIL PROTECTED]> > > Sent: Tuesday, August 13, 2002 10:41 PM > > Subject: Re: j_username in session cookie - where did it go? > > > > > > > > > > > > > On Tue, 13 Aug 2002, Ed Thompson wrote: > > > > > > > Date: Tue, 13 Aug 2002 21:57:53 -0400 > > > > From: Ed Thompson <[EMAIL PROTECTED]> > > > > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > > > > To: Tomcat Users List <[EMAIL PROTECTED]> > > > > Subject: j_username in session cookie - where did it go? > > > > > > > > I have just upgraded (uninstalled and reintsalled) from > Tomcat 3.2 to > > > > Tomcat 4.0.4. > > > > > > > > I am using form based authentication, and found under > 3.2 I could pull > > > > j_username out of the session cookie after > authenticaion was done. > > > > > > > > > > That's not how it really worked under 3.2, although if > you are using > BASIC > > > authentication you could decode the username out of the > "Authorization" > > > header. > > > > > > > Now under Tomcat 4 it doesn't seem to be there. I know > I tried it > under > > > > Tomcat 4.0.1 before I upgraded and it worked, but not after > uninstalling > > 3.2 > > > > and installing 4.0.4 from scratch.. > > > > > > > > Can anyone shed light on what is (not) happening? Have > the rules > > changed or > > > > have I not cfg'd something properly? > > > > > > > > > > The portable way to get ahold of the authenticated > username is to call > > > request.getRemoteUser(). See the servlet spec for more details on > > > container managed security: > > > > > > http://java.sun.com/products/servlet/download.html > > > > > > > Thanx! > > > > Ed > > > > > > Craig > > > > > > > > > -- > > > To unsubscribe, e-mail: > > <mailto:[EMAIL PROTECTED]> > > > For additional commands, e-mail: > > <mailto:[EMAIL PROTECTED]> > > > > > > > > > > > -- > > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > > > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
