On Monday, November 19, 2012 12:33:26 PM Brian Burch wrote: > This issue was discussed at length on the users mailing list under this > topic: "AuthenticatorBase setChangeSessionIdOnAuthentication without > cookies" > http://mail-archives.apache.org/mod_mbox/tomcat-users/201209.mbox/%3C505EDA8 > 7.1080...@pingtoo.com%3E > > > Authenticated access to restricted resources can only happen if the > browser tells tomcat the session id when it requests ANY of those > restricted resources. This is usually done via cookies, but when cookies > are turned off the webapp has to keep reminding the browser of the > session id - especially if the default behaviour is being used by the > Container, when the session id is deliberately changed after authentication. > > Your protected jsp's MUST ALL use response.encodeURL() if you want your > webapp to work properly without cookies.
OK, my confusion came from accessing the root and expecting the web.xml <welcome-file> tag to take care of my base page. Is there a reason it doesn't get an encodeURL()? When I make my initial page something that exists *and* encode the j_security_check things work, at least I get to my next stopping point with a .jnlp (I'd like javaws to load securely *then* access the servlets securely. JWS documentation seems lacking and a couple of posts over here: http://forums.oracle.com/forums/forum.jspa?forumID=944&start=0 haven't elicited any enlightening responses. > When using an IDE you need to be careful of classloader issues. Tomcat's > classloader environment is sophisticated and I sometimes encounter > strange behaviour under netbeans because it tries to cache classes for > speed, but this sometimes means my changes do not seem to have worked. > This can always be proved by restarting netbeans. That's why I mentioned it. When I get confused at a response I stop the web server from inside Eclipse, when that fails to unconfuse me I exit Eclipse and start back up. So far I haven't seen much effect, i.e. my confusion remains, but at least I can break for coffee. > I don't use eclipse, so I can't comment on your specific problems. > However, you can simplify your debugging by running tomcat standalone > and attaching your debugger to it. I may get to that point, probably when I'm testing the .war Thanks for looking at this. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org