4 Replies Latest reply on Jun 6, 2012 4:49 AM by sfcoy

Tracking of web login state in JBoss AS 7.1.1

sfcoy Jun 4, 2012 3:21 AM

Hi there,

We are using javax.servlet.http.HttpServletRequest#login(java.lang.String, java.lang.String) to authenticate users in JBoss AS 7.1.1, and found that unless we prefix the login call with

{code:java}request.getSession(true);{code}

the container forgets that we have authenticated for subsequent requests.

This seems like a bug to me.

1. Re: Tracking of web login state in JBoss AS 7.1.1

jfclere Jun 5, 2012 4:11 AM (in response to sfcoy)

well request.getSession(true); creates session and login() authenticate user that are 2 different things.
Actions
2. Re: Tracking of web login state in JBoss AS 7.1.1

sfcoy Jun 5, 2012 4:18 AM (in response to jfclere)

If I leave out the request.getSession(true);, subsequent requests to protected resources fail with a 403.
Actions
3. Re: Tracking of web login state in JBoss AS 7.1.1

jfclere Jun 6, 2012 4:13 AM (in response to sfcoy)

Because you need to create a session.
Actions
4. Re: Tracking of web login state in JBoss AS 7.1.1

sfcoy Jun 6, 2012 4:49 AM (in response to jfclere)

I don't need to explicitly create a session for form based or BASIC authentication.

The spec (13.3) says:
The login method allows an application to perform username and password collection (as an alternative to Form-Based Login).
and (13.10)
Containers may create HTTP Session objects to track login state.

This led me to believe that login state will be tracked between requests.

I know that WebSphere, for example, does not use the HttpSession for tracking login state. It uses a separate cookie instead.
Actions