|Padhu Vinirs||Oct 2, 2002 7:19 am|
|Rick Fincher||Oct 2, 2002 7:39 am|
|Craig R. McClanahan||Oct 2, 2002 9:07 am|
|Mubaraka Arif||Oct 2, 2002 9:51 am|
|Padhu Vinirs||Oct 2, 2002 10:58 am|
|Padhu Vinirs||Oct 2, 2002 11:07 am|
|Padhu Vinirs||Oct 2, 2002 11:18 am|
|Rick Fincher||Oct 2, 2002 11:58 am|
|Rick Fincher||Oct 2, 2002 12:02 pm|
|Rick Fincher||Oct 2, 2002 12:10 pm|
|Subject:||Re: authorization using tomcat...|
|From:||Rick Fincher (rn...@tbird.com)|
|Date:||Oct 2, 2002 12:10:49 pm|
You have to call the invalidate method on the session. You can also use setMaxInactiveInterval(int seconds) to kill the session after an inactive period. I think the default in Tomcat is 30 minutes.
----- Original Message ----- From: "Padhu Vinirs" <p.pa...@verizon.net> To: "Tomcat Users List" <tomc...@jakarta.apache.org> Sent: Wednesday, October 02, 2002 2:19 PM Subject: Re: authorization using tomcat...
Now I am able to access the secure page through the login page. But even if I close the browser ( whcih i assume will close the session ), and restart it, I am able to access the secure page without going through the login page. Is there a place where I need to say that the login info should not be a permanent cookie but only session scope ???
Rick Fincher wrote:
It looks like you have this set up OK. Do you have a memory realm set up in conf/web.xml as is required for this setup?
Also, since your transport guarantee is set up as confidential it is going to use SSL so you either have to use an HTTPS:// url or you have to have redirection turned on in port 80 (or whatever your HTTP port is) in conf/web.xml.
If your HTTPS port isn't 443 you'll have to have :8443 (if 8443 is the HTTPS port) in the url too.
I am testing web resource form-based authentication. I have created a dummy jsp page "Details.jsp" and have created the following nodes in web.xml:
<security-constraint> <web-resource-collection> <web-resource-name>SecurePages</web-resource-name> <url-pattern>Details.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>EditUsers</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config> <security-role> <description>Users who can edit</description> <role-name>EditUsers</role-name> </security-role>
I have created a "EditUsers" role in tomcat-users.xml.
But when I access "Details.jsp", I am redirected to the Netscape search page !!! I am able to access the login and error.jsp pages fine.
Any ideas ?