[Bug 64713] New: Principal is cached in session without javax.servlet.http.registerSession being set

Fri, 04 Sep 2020 05:51:55 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=64713

            Bug ID: 64713
           Summary: Principal is cached in session without
                    javax.servlet.http.registerSession being set
           Product: Tomcat 9
           Version: 9.0.37
          Hardware: PC
            Status: NEW
          Severity: minor
          Priority: P2
         Component: JASPIC
          Assignee: dev@tomcat.apache.org
          Reporter: robert.rodew...@kopsis.com
  Target Milestone: -----

The JASPIC 1.1 specification (section 3.8.4) states that the Prinicpal shall be
stored in the session after successful authentication by a ServerAuthModule if
javax.servlet.http.registerSession is set to a value of true. This works, but
if the value is set to false the current code is not compliant as only the
existence of the key is checked.

Here is the code from AuthenticatorBase:
Map map = state.messageInfo.getMap();
if (map != null && map.containsKey("javax.servlet.http.registerSession")) {
    register(request, response, principal, "JASPIC", null, null, true, true);
} else {
    register(request, response, principal, "JASPIC", null, null);
}

Furthermore this makes the behavior dependent on the configuration of the
authentication valves "cache" property it the property is not set, which is
very inflexible. The ServerAuthModule can therefore not decide to NOT cache it
in the session. Especially if you have more than one module which both want to
handle this differently.

I would suggest to evaluate the property if present and if it is set to "false"
disable any caching (ignore valve config). This makes it standard compliant and
more flexible without changing current behavior in the case of a "true" value.

Here is the changed code:
if (map != null && map.containsKey("javax.servlet.http.registerSession")) {
    boolean registerSession =
Boolean.valueOf((String)map.get("javax.servlet.http.registerSession")).booleanValue();
    register(request, response, principal, "JASPIC", null, null,
alwaysUseSession || registerSession, registerSession);
} else {
    register(request, response, principal, "JASPIC", null, null);
}

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to