-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André,
André Warnier wrote: | I'm possibly nitpicking, but still trying to get a full crash-proof | explanation : No problem. Sometimes it's fun to beat dead horses ;) | A servlet context consists of a servlet (code), and a context descriptor | (web.xml) which points to this servlet code, and also establishes a | "security context" (in other words says that access to this servlet is | subject to certain criteria). FYI web.xml is officially called the "deployment descriptor" | A browser sends a request for this servlet context. Technically, the client sends a request for a resource that will be served by this servlet context (colloquially referred to as the "application"). | Tomcat receives the request, and determines that it needs authentication. | At this point, the code of the servlet has not yet been invoked, so | there has been no opportunity for the servlet to call | HttpServletRequest.getSession(). | (true/false ?) True. | So according to the above, neither the session nor the JSESSIONID cookie | have yet been created. | (true/false ?) True. | Since there is no session, there is no stored user-id, and Tomcat sends | back a 401 response (or a login form, depending). | There cannot be a JSESSIONID cookie in this server response, because no | session exists yet. Tomcat knows that it uses the session to store authentication information, so Tomcat itself will create the session and add the cookie to the response at this point. | The user authenticates, the authentication is checked, and now by some | mechanism the call is redirected to the originally-requested URL. | But still according to the above, there is no session yet, because | HttpServletRequest.getSession() has still not been called. It has been called, just not by /your/ code at this point. | But Tomcat must be able to retrieve the authenticated user-id somewhere, | before allowing the servlet code to be executed. So if there is no | session yet, where does it get it ? See above. | (I also have a problem with the | HttpServletRequest.isRequestedSessionIdValid() call, because I fail to | see a case where the return value would be false. But I'll get to that | one later, if I haven't exhausted everyone's patience by then.) If you make a request to a servlet with a bugus session id, then this method will return false. It could be generally bogus (wrong format, etc.) or the session could have expired. The requested session id could be different from the "current" session id, if an invalid session id was requested, and the servlet calls request.getSession(true). In that case, the requested and actual session ids will be different. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkhP/HwACgkQ9CaO5/Lv0PC8wQCeLoeabXXdCQ7fujDFQiYnkcbS WSMAoIu7vUYw6hxZx21gOj82hrppNppu =jJmn -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
