-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 5/28/15 5:29 AM, Mark Thomas wrote: > On 28/05/2015 10:22, Leonid Rozenblyum wrote: >> Hello experts. >> >> We are using FormAuthenticator and face a following issue: >> >> 1) Session persistence is disabled 2) User is on login page 3) >> Restart Tomcat 4) User tries authentication >> >> He receives error 400 or 408. >> >> While digging deeper we discovered that in this case Tomcat >> validates session id and if it's old/invalid - prevents >> logging-in even though valid credentials are passed. >> >> We tried landingPage solution - it looks better than error >> 400/408 but anyway it forces user to enter credentials twice (or >> we don't know how to pass credentials to landingPage >> implicitly). >> >> We think that an improvement of user experience would be : >> >> FormAuthenticator: 255 if (session == null) { session = >> request.getSessionInternal(false); } >> >> ==> if (session == null) { session = >> request.getSessionInternal(true); } >> >> So if session is invalid or missing - simply create it. >> >> Does this idea make sense? > > No. It makes no sense at all. > >> Can we achieve the goal of not forcing user entering credentials >> twice without changes in Tomcat ? > > No. The credentials are stored in the session. If you restart > Tomcat with session persistence disabled those credentials are lost > and the user is going to have to re-enter them. I think the OP is saying that the credentials are only entered a single time. The Tomcat restart between showing and submitting the login page is the source of the problem. Leonid, the servlet spec is very clear about the workflow for authentication: the client must request a protected resource, then the container challenges the client for authentication (shows the login page), and then the client must submit valid credentials (send a request to j_security_check). After that, the container must re-process the client's original request with the newly-authenticated principal. Tomcat stores the original request in the session. If you lose your session between presenting the login page and submitting the credentials, Tomcat has no way to re-process the original request. IMO, this is a hole in the spec, because it doesn't allow people to login simply because they want to; instead, they must first attempt to reach a protected resource. If you want your users to be able to login without requesting a protected resource, you may write your own login-handler and call ServletRequest.login(). That way, you won't require a session to exist during that whole workflow. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVZzkfAAoJEBzwKT+lPKRYnxgP/jRvzmTgLbjOWErrYrKcE3M1 n6xnW8WRws8sTUnzZpcnqsE2sFdCuUBu5PFMZHmmU4Ku8EbuwO34F2P/BsmFellZ flNpMBR1YEcm7BJMKRhWzpmGl9Bawa5GZaX5FLot+QvzHb7xpdQ4aI+nuy1SQM3s eKEDPGzdLmOCNEK/ryJnQb9d4sbZ0iH7sNbQYDU7I8jsirbvQUDGOK/TUQEhejqA uviUVjOWM0tvEfnbPWSNE3PQXznw3rlrOoEcixAzyF+k1w8rIoD1Kui8YvJQAWPP j+lakjCgIPHDCQyFJRK0ysBKH3QsPvD0RITeWiwRfWNGevqyc2fqqGvcgUOrh4+2 sbEcZTlOk5YtLpyTzfJggANFYx72m7GOcSE+hyRJ43S83RrBYVxezUoyNfPfelLF UDcJt+yVxO37auIZAg4TLpiUYabHcFSmk2D1ka/8HXJO1mTiedckFzIkg2fHYL+8 zIQG5i/L3HqMFYZ/uMThYJlIJztMVdzPTi4Uhf8AO8Cwof4ptw+Bds2Yk2K2S5UZ OS3Xqw0Iw6UD/jY3aT6MXm6UvsXL2MI5JBJFvUSXDaBSWTDAU1nmE7U93k/qpt5L ov8Bl3YLJoIj3QP1VZbPb537mAI0n4QmWRTf1+dPb0VPIt4LD5OifkuKE71aZkA/ 8PAwsXwo1NQEqOMN4NQe =VRcn -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org