All HTTP requests goes through Weblogic Secuirty Providers?
I have a question regarding how WLS processes each HTTP request for a J2EE web application that is using FORM and CLIENT-CERT authentication.
Say the user logins successfully using FORM authentication, and the application then creates a HttpSession object. The user then clicks on a link which results in another HTTP request to the same web application. For the 2nd (and subsequent HTTP) request, does WLS invoke the Authentication/Authorization/Role Mapper security providers again?
I also customized the sample security provider codes (from BEA) to use Identity Assertion (Specified CLIENT-CERT authentication for the web application). After successful authentication for the 1st HTTP request, every subsequent HTTP request to the sample web application results in the Authentication/Authorization/Role Mapper providers being invoked again. This is seen from system.out.println statements that are in the providers.
Thanks in advance for your attention/help.
Re: All HTTP requests goes through Weblogic Secuirty Providers?
If you are using the SamplePermiternAtnClient to access the secured
page it is understandable why you are seeing all hits go through all
the weblogic security providers.
The client is essentially stateless and hence the server see the three
consecutive requests as 3 new requests. Hence it invokes all the
security providers. On the other hand if you configure the client to
use some sticky mechanism like cookies you will find out that the
authentication and authorization providers are not invoked every time.
Only the role mapper is invoked every time you access a protected