I have a problem with tomcat security.
Please let me know if I am doing something wrong
or there is a problem with tomcat. I am using
tomcat 3.2.1 on Redhat Linux 6.2. I am running the
servlet
engine standalone without the apache web server.
My entire servlet is protected with BASIC
authorization in its web.xml. After the user completes
the
login it is possible that some servlet pages
may require a second level of autorization.
My servlet also uses BASIC auth. for this
using its own realm. When my servlet issues the
"401 Unauthorized" response the browser properly
pops up a new login window using the realm specified
by my servlet.
This is where things start to fail.
When the user enters the login data it seems that
tomcat intercepts the BASIC auth. data and attempts to
verify the user as if the requested realm was for for
the tomcat
login and not my servlet login. Of course this fails.
Why should tomcat do this when the user has already
been verified
and issued a JSESSIONID cookie?
Thanks,
Mike
__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices.
http://auctions.yahoo.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
