Question about container managed security and session
I'm using container managed security in Tomcat connected to a mysql database. Everything is working ok, except some of the resources I have set as security constraints access session. When the session times out, and I hit refresh, I'm not getting sent back to the login screen, but instead get an NPE because I'm trying to use an object from session that doesn't exist.
Why wouldn't I get forwarded to the login screen when I hit "refresh" instead of executing the resource after session timeout?
[514 byte] By [
geoffr10a] at [2007-10-2 4:21:19]
My guess is that you are using "BASIC" authentication. In BASIC authentication the user's security credentials are stored on the browser and passed to the server with each request. Even though the session has expired the browser still has his credentials.
I don't know if you can force the browser to revalidate the user. You could try first validating that the session is still valid and if it is not redirecting the user to a page that uses Java script to open a new window. This new window may not have the user's stored credentials and may require the user to re-log in.
Or you could go to "FORM" based authentication which stores the user credentials in the user's session.
> Or you could go to "FORM" based authentication which
> stores the user credentials in the user's session.
FORM based authentication uses session. But, is it true that user information is stored in the session automatically after login? What the spec says is request.getUserPrincipal() will return the user principal after successful login. But there doesn't seem to be any guarantee that similar information could be retrieved from the session unless we deliberately put them into the session ourselves.
Please correct me I am wrong, and I'll be glad to hear that, because I am actually looking for some automatic way to store user information into the session rather than relying on request.getUserPrinicipal().
You are correct.
Form based authentication uses the session, but it doesn't store its information in attributes that you can easily access. The best approach is to get the principal from the request. If you need to build a user object in your session that's up to you, since there is no guarantee that the application will always be deployed with form based authentication. If basic was used, there won't be anything in the session.
If you want an automatic way, you could consider a filter.
