-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Nicolas,
On 9/14/16 3:59 AM, nclemeur wrote: >>> Hello, >>> >>> I am using HttpServletRequest.login to authenticate users on an >>> ajax call. This is working fine and the relevant realm is >>> queried. However, on subsequent requests, I have quite often >>> the remote user being null despite having the correct JSESSION >>> cookie set from the login call. >>> >>> This is not happening always, but it is quite frequent. >>> Interestingly, if a set an attribute in the session, that >>> session and attributes are preserved in the subsequent >>> requests. >>> >>> Is there anything else that I should do to preserve >>> authentication information? It is very strange that this >>> process is working intermittently. As a workaround I am >>> wrapping the request and overrides the >>> getRemoteUser/getUserPrinciper/isUserInRole to get this >>> information from the information I am storing in the session, >>> but I would prefer to have this working without this workaround >>> (for example the AccessLogValve does not report the user >>> correctly when using that workaround). > >> Tomcat version? > >> What authentication, if any, do you have configured in web.xml? > >> Do you have any security constraints defined anywhere >> (annotations or in web.xml)? > > I was having this problem in tomcat 8.0.35. I did try to reproduce > it on a simpler setup on 8.0.37 and 8.5.5, but could not succeed... > > > I'll try integrate my tests in my main app to see if I can > reproduce it then. Any chance this is a problem with cookies using the HttpOnly flag? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJX3AlEAAoJEBzwKT+lPKRYpkwQAKecA8dZTI1YWwBw5xH6PbE9 h8fhOLVjcRf7ako2XtSeGI2HZZBWxMcSIwkiv0Z8fxoL7B4AP9c9eZatKTbzEfUM SeFvYuDFG5oD/S87hQVEYcewL5A7IBld0ZgYcKOIclqqXNqSegaXtFxSheeIxsrL JkUJMJcdIPzq5CzDowuhBBhjwo34zq6dlBCi6wqxD3XM2gc5tMS/mTmTpW/i2WbW zrA5IqFMDdrA6Css2NLUecik6zF5KDrTUE3y5zVjAaLu6029CSTRhtmSD603pp6t EX8Sm+Zx6hwyz56NXMxzG1KP7fIDB8yf0XYM4K0FYqYfzJiqECmT6m1/y7IHhySz 05yE5BBQZKU9KeKG7aU7L9QcJP5CIU0LlrctC+XIhQAnlW/YHbczNkcrFhrPxNnW Ma/jpufpARrWTC6MhIYNL5cvkHaaTr8onIkAYlvM97u9VkgHXl/JMgKR+N0U9yi1 sa0q8hNZDSgqNf4TSmpINWOm0uz9rVUlRbI3177glynFZd1Gqb/ftBdie7czL6Dm oQiduww58+urFbJhhIVMjfK1kDZogHQ0f1/nYGeaei3tKnqmoJSmNQX2iONFBKEP ikWmMblKSUs5wVehO1oBfscVVh7V1crkpTVjq+adbeBltNMEWFgZ6aaeAGRjceog ns8hZBw+MmIfORsFjH9r =NnO3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org