--
--
[ Picked text/plain from multipart/alternative ]





Without basic authentication activated, all HTTP sessions are marked as
'anonymous', and can be freely accessed.  (The same idea applies if
WebSphere security is enabled instead of basic authentication via the web
server.)  But when basic authentication is activated and an authenticated
user access a protected resource which is routed to WebSphere, then the
HTTP session becomes marked (owned) by the authenticated user.

Suppose later the user requests a resource that is not protected by
webserver basic authentication and tries to access the HTTP session, which
tags the user as 'anonymous'.  That will cause the
UnauthorizedSessionRequestException you mention and does not allow
anonymous access to the protected HTTP session.  The result is, the code
then gets a new Session instead which send it down the error path.  I
suspect you need to look closer at the protection directive(s) in you HTTP
server configuration to see if it is possible for some app requests to be
protected while other requests are not, since evidently some
unauthenticated request seem to be getting through.






                      P.
                      Goovaerts@Clipper        To:       web400@midrange.com, 
<java400-l@midrange.com>
                      .Be                      cc:
                      Sent by: java400-        Subject:  jsp - servlet 
Session-authentication problem
                      l-admin@midrange.
                      com


                      07/22/02 08:39 AM
                      Please respond to
                      java400-l







A webapp has an index.html, 2 servlets(A)(B), 3 JSP's(A)(B)(error) and 1
databean. The application has 'Basic Authentication' activated in WebServer
(WAS3.5.6)

When index.html is launched, userid-password is asked by the server. After
receiving correct info, index.html is displayed and it automatically
launches Servlet(A).

This Servlet(A), creates a new session, get's data from the AS400 and
stores the data into the session. Finally it launches JSP(A) using
requestdispatcher:
'getServletConfig().getServletContext
().getRequestDispatcher(httppage).forward(req, res);'

JSP(A) is displayed and asks for a value to find data. When value is
entered, user submits the form which actually call's Servlet(B). In short,
this servlet does the following:
session = req.getSession(true);
id = session.getId();
if (session.isNew()) {
   httppage='error.jsp';
}
else{
   fillDataBean...;
   httppage='JSP2.jsp';
}
getServletConfig().getServletContext
().getRequestDispatcher(httppage).forward(req, res);

PROBLEM:
The first time Servlet(B) is executed (servlet loaded by server), I receive
JSP2.jsp which is correct. All subsequent calls end in error!
Even when I quit the browser, reload index.html and reconnect, the
error.jsp is shown which indicates that a new session is created.

The only clue I have is that 'session = req.getSession(true);' throws an
authorization-exception as follows:

com.ibm.websphere.servlet.session.UnauthorizedSessionRequestException:
SessionContext: a user authenticated as anonymous has attempted to access a
session owned by user:CLIPPER/S-1-5-21-346438834-254567744-1563503735-1100
at
com.ibm.servlet.personalization.sessiontracking.SessionContext.
getIHttpSession(SessionContext.java:1413)

at
com.ibm.servlet.engine.srt.SRTSessionAPISupport.
getSession(SRTSessionAPISupport.java:255)

at
com.ibm.servlet.engine.srt.SRTServletRequest.getSession(SRTServletRequest.
java:470)

at
com.ibm.servlet.engine.webapp.HttpServletRequestProxy.
getSession(HttpServletRequestProxy.java:77)

...
...





Patrick Goovaerts
Clipper Support nv
TEL : 0032 (0)3 5453991
GSM: 0498 610 325
WEB: www.conti7.be


_______________________________________________
This is the Java Programming on and around the iSeries / AS400 (JAVA400-L)
mailing list
To post a message email: JAVA400-L@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/java400-l
or email: JAVA400-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/java400-l.


--

--
[ graycol.gif of type image/gif deleted ]
--
[ ecblank.gif of type image/gif deleted ]
--
[ pic22311.gif of type image/gif deleted ]
--



As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.