Re: Servlet 2.3 spec: login information shared between apps? That ca n't be right.

Wed, 02 Oct 2002 14:38:36 -0700 

To me it seems only if the login was the same for both protected regions.

Luis.

----- Original Message -----
From: "Karr, David" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, October 02, 2002 6:57 PM
Subject: Servlet 2.3 spec: login information shared between apps? That ca
n't be right.


> I was pointed to a paragraph in the Servlet 2.3 specification that seems
> wrong to me.  Section SRV.12.6 says the following:
>
> "Therefore, a servlet container is required to track authentication
> information
> at the container level (rather than at the web application level). This
> allows users
> authenticated for one web application to access other resources managed by
> the
> container permitted to the same security identity."
>
> Before that, it says a "desire" is to "Require re-authentication of users
> only when a security policy domain boundary has been crossed."
>
> This could be easily interpreted to mean that if a container was hosting
two
> separate applications, where one "web.xml" specified that a particular
named
> role could access the protected region, and the other "web.xml" used the
> same role name for its protected region, that the user could go through
the
> container-managed authentication process in the first application, and
then
> they could directly access pages of the second application without
requiring
> a login.
>
> Is this an incorrect interpretation?  If so, could someone explain exactly
> what this paragraph is supposed to mean, both theoretically and in
practice?
>
>
___________________________________________________________________________
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
>
>

___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html

Reply via email to