On 16/09/2010 15:50, André Warnier wrote:
[...]
RFC 2965 does not say that it overrides the older RFC 2109.
It does, at the end of the Abstract :
This document reflects implementation experience with RFC 2109 and
obsoletes it.
I missed that. My interpretation is still that 2109
On 14/09/2010 23:17, André Warnier wrote:
[...]
Personal interpretation : if the browser receives a cookie marked
secure, it should only send it back with requests happening over an
HTTPS connection.
(No matter if it was received over HTTP or HTTPS).
I'm using httpunit for testing. I
The javadoc states this call returns the session associated with the
request. I'm trying to figure out what the session associated with
the request actually means.
Specifically, if I have the same client sending https and http requests
intermixed in time, will there be two sessions objects,
narrow down where I should look for the
specification of the behaviour you describe, I'd be most grateful.
Brian
On 14/09/2010 12:55, Mark Thomas wrote:
On 14/09/2010 10:40, Brian McBride wrote:
The javadoc states this call returns the session associated with the
request. I'm trying
Hi Christopher,
On 14/09/2010 16:02, Christopher Schultz wrote:
[...]
I'm not sure what you're asking. The session refers to an HttpSession
object, which should be obvious from the spec and the API itself. The
request should also be obvious, since we're talking about HTTP and a
Hi Christopher,
On 13/09/2010 19:58, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
[...]
That's a bit of a worry. Can you say any more about the edge cases I
should be concerned about.
Well, if Tomcat intercepts a request in order to perform authentication,
then the filter
Hi Christopher
On 09/09/2010 19:47, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
[...]
Here's something you can do. Write a filter that you attach to URLs that
/are/ used for authentication, and then copy the user's username into
the session.
Yes, that's the approach I'm
on the
performance implications of using HTTPS, i.e. is it cheap enough that I
don't have to worry about using it for all traffic.
Brian
On 04/09/2010 17:27, André Warnier wrote:
Brian McBride wrote:
...
Ok - now to figure out how to implement digest authentication ...
Digest authentication
Hi,
I want to implement discretionary access control in an app running in
Tomcat - i.e. access controls on URLs served by Tomcat can be changed by
users. I expect to have a 1M resources each with its own ACL. Some
resources have 'public' access. No authentication should be required to
Hi Charles,
Thanks for the quick answer.
On 04/09/2010 15:20, Caldarale, Charles R wrote:
[...]
Declarative security is intentionally static;
Its not the declarative access control I want to use - I'd have liked to
be able to resuse the authentication code ...
t
[...]
This is very
Hi Jason,
Thanks for the response.
On 04/09/2010 15:27, Jason Britton wrote:
I would look at a servlet filter to provide this sort of dynamic access
control.
That's what I'm doing. The filter needs to know the user id - and I was
hoping to resuse Tomcat's authentication mechanism for that.
11 matches
Mail list logo
