All HTTP requests goes through Weblogic Secuirty Providers? - Weblogic

This is a discussion on All HTTP requests goes through Weblogic Secuirty Providers? - Weblogic ; Hi, I have a question regarding how WLS processes each HTTP request for a J2EE web application that is using FORM and CLIENT-CERT authentication. Say the user logins successfully using FORM authentication, and the application then creates a HttpSession object. ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: All HTTP requests goes through Weblogic Secuirty Providers?

  1. All HTTP requests goes through Weblogic Secuirty Providers?

    Hi,

    I have a question regarding how WLS processes each HTTP request for a J2EE web application that is using FORM and CLIENT-CERT authentication.

    Say the user logins successfully using FORM authentication, and the application then creates a HttpSession object. The user then clicks on a link which results in another HTTP request to the same web application. For the 2nd (and subsequent HTTP) request, does WLS invoke the Authentication/Authorization/Role Mapper security providers again?

    I also customized the sample security provider codes (from BEA) to use Identity Assertion (Specified CLIENT-CERT authentication for the web application). After successful authentication for the 1st HTTP request, every subsequent HTTP request to the sample web application results in the Authentication/Authorization/Role Mapper providers being invoked again. This is seen from system.out.println statements that are in the providers.

    Thanks in advance for your attention/help.

    Rgds

  2. Re: All HTTP requests goes through Weblogic Secuirty Providers?

    hi wee

    If you are using the SamplePermiternAtnClient to access the secured
    page it is understandable why you are seeing all hits go through all
    the weblogic security providers.

    The client is essentially stateless and hence the server see the three
    consecutive requests as 3 new requests. Hence it invokes all the
    security providers. On the other hand if you configure the client to
    use some sticky mechanism like cookies you will find out that the
    authentication and authorization providers are not invoked every time.
    Only the role mapper is invoked every time you access a protected
    resource

    anand raman
    http://jroller.com/page/araman


+ Reply to Thread