-
1. Re: New LoginContext for each request...
starksm64 May 5, 2004 2:20 AM (in response to vphagura)That is the expected behavior in 3.2.3. 3.2.1 could leak credentials back to the request thread pool and allow unauthenticated users to access secured content using someone else's credentials.
-
2. Re: New LoginContext for each request...
jburugupalli May 5, 2004 5:32 AM (in response to vphagura)I think this behaviour is only seen in case of servlets as clients and not in the case of standalone java cleints as it seems that the once u call the LoginContext.login() then it is associating the principal and credential to every call made from this client...
But in the servlets or JSP's case its not and it is passing null, null in subsequent requests. So tha only solution is calling the logincontext.login() method on every request or did any one find a better solution.
My problem is i have many JSP's and from there i access JavaBeans directly and these Java Beans directly interact with the Session Beans.
And i hope you know the problem for every request if i have to assing the LoginContext ....it seems my future is dark ....it would be very nice if any one can suggest me a better solution which can be done without much code change.
regards
jani -
3. Re: New LoginContext for each request...
starksm64 May 5, 2004 12:03 PM (in response to vphagura)Use a servlet filter or tomcat valve then.
-
4. Re: New LoginContext for each request...
vphagura May 6, 2004 11:22 AM (in response to vphagura)I agree with Jani. And, also appreciate the response from scott. But could you please explain little bit more when you say, "Use a servlet filter or tomcat valve then", or point me to some more details on this.
Thanks
Vijay -
5. Re: New LoginContext for each request...
jburugupalli May 7, 2004 2:12 AM (in response to vphagura)HI All,
Thanks scott, i used a filter to do this but i am not sure how to do it with a tomcat valve any way the filter looks like thispublic void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException try { WorkServerWebEJBServiceLocator.getInstance().performLogin(); chain.doFilter(request, response); } catch (ServiceLocatorException aException) { cCat.error("WorkServerWebEJBServiceLocator Login error."); cCat.debug("WorkServerWebEJBServiceLocator Login error.", aException); } finally { try { WorkServerWebEJBServiceLocator.getInstance().performLogout(); } catch (ServiceLocatorException aException) { cCat.error("WorkServerWebEJBServiceLocator Logout error."); cCat.debug("WorkServerWebEJBServiceLocator Logout error.", aException); } }
I configured this filter for all URLs like using /* mapping . the performlogin and logout methods does the followingtry { UsernamePasswordHandler tHandler = new UsernamePasswordHandler(iUserName, iPassword.toCharArray()); iLoginContext = new LoginContext("client-login", tHandler); iLoginContext.login(); cCat.info("Login With :" + iUserName + ":" + iPassword); } catch (LoginException aException) { cCat.error("Could not login for the LoginContext."); }
i hope this will help
regards
jani -
6. Re: New LoginContext for each request...
nivek May 7, 2004 7:22 AM (in response to vphagura)
<< That is the expected behavior in 3.2.3. 3.2.1 could leak credentials back to the request thread pool and allow unauthenticated users to access secured content using someone else's credentials. >>
Will this continue to be the same sort of behavior with 3.2.4? Thanks.. -
7. Re: New LoginContext for each request...
vphagura May 7, 2004 12:22 PM (in response to vphagura)Thanks to Jani for the code. Of course, Tomcat valve would be also helpful. Looking forward to an answer to nivek's query !!
Vijay -
8. Re: New LoginContext for each request...
gauravag Aug 2, 2010 5:26 AM (in response to jburugupalli)hi ,
I have checked you data , the thing is even i have same issue that with every request i need to call again login method logincontext ,
other than filter how we can d. If you have any solution for it please let me know . It's urgent ...
Thanx...