Thanks Mark! Will take a look On Fri, Oct 8, 2021, 5:01 AM Mark Thomas <[email protected]> wrote:
> On 07/10/2021 18:37, Michael Kolenda wrote: > > Hey Tomcat Users, > > > > I've run into an interesting behavior with a custom JASPIC provider. When > > there is an existing session i.e. JSESSIONID cookie, It appears the > > groups/roles are not checked again... even when the new groups are > provided > > in the client Subject (JASPIC's validate() ). When attempting stateless > > authentication via JWT/OAuth how can I ignore a previously set session > for > > an individual request? > > > > It appears to be based around equals() on my Principal object. I can make > > it so Principal's generated via stateless authentication protocols are > > never equal, but then I get a new session id in the response. I don't > want > > a session id at all for this request > > I'm only basing this on looking at Tomcat's source code so I may be on > the wrong track. > > You probably want to set cache="false" on your authenticator. That will > stop Tomcat trying to cache the authenticated principal in the session. > > From your description and looking at the source for AuthenticatorBase, > I think that should address the issue you are seeing. > > You might also want to check if alwaysUseSession has been set. If not, > the default of false is fine but I don't think you want this set to true. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
