This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new a7a99c6 Fix BZ 64712 and 64713. JASPIC fixes
a7a99c6 is described below
commit a7a99c6e497c5f8a5185b26c9ef623d23b18b285
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Sep 7 10:34:55 2020 +0100
Fix BZ 64712 and 64713. JASPIC fixes
https://bz.apache.org/bugzilla/show_bug.cgi?id=64712
https://bz.apache.org/bugzilla/show_bug.cgi?id=64713
Take account of registerSession and authType
Based on a patch by Robert Rodewald
---
.../catalina/authenticator/AuthenticatorBase.java | 33 ++++++++++++++++++----
webapps/docs/changelog.xml | 12 ++++++++
2 files changed, 39 insertions(+), 6 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index 2643f75..0951d00 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -925,16 +925,37 @@ public abstract class AuthenticatorBase extends ValveBase
if (requirePrincipal) {
return false;
}
- } else if (cachedAuth == false ||
-
!principal.getUserPrincipal().equals(request.getUserPrincipal())) {
+ } else if (cachedAuth == false ||
!principal.getUserPrincipal().equals(request.getUserPrincipal())) {
// Skip registration if authentication credentials were
// cached and the Principal did not change.
- @SuppressWarnings("rawtypes")// JASPIC API uses raw types
+
+ // Check to see if any of the JASPIC properties were set
+ Boolean register = null;
+ String authType = "JASPIC";
+ @SuppressWarnings("rawtypes") // JASPIC API uses raw types
Map map = state.messageInfo.getMap();
- if (map != null &&
map.containsKey("javax.servlet.http.registerSession")) {
- register(request, response, principal, "JASPIC", null,
null, true, true);
+
+ String registerValue = (String)
map.get("javax.servlet.http.registerSession");
+ if (registerValue != null) {
+ register = Boolean.valueOf(registerValue);
+ }
+ String authTypeValue = (String)
map.get("javax.servlet.http.authType");
+ if (authTypeValue != null) {
+ authType = authTypeValue;
+ }
+
+ /*
+ * Need to handle three cases.
+ * See https://bz.apache.org/bugzilla/show_bug.cgi?id=64713
+ * 1. registerSession TRUE always use session, always cache
+ * 2. registerSession NOT SET config for session, config for
cache
+ * 3. registerSession FALSE config for session, never cache
+ */
+ if (register != null) {
+ register(request, response, principal, authType, null,
null,
+ alwaysUseSession || register.booleanValue(),
register.booleanValue());
} else {
- register(request, response, principal, "JASPIC", null,
null);
+ register(request, response, principal, authType, null,
null);
}
}
request.setNote(Constants.REQ_JASPIC_SUBJECT_NOTE, client);
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 0301083..41b1cb1 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -95,6 +95,18 @@
Use the correct method to calculate session idle time in
<code>PersistentValve</code>. (kfujino)
</fix>
+ <fix>
+ <bug>64712</bug>: The JASPIC authenticator now checks the
+ <code>ServerAuthModule</code> for
+ <code>jakarta.servlet.http.authType</code> and, if present, uses the
+ value provided. Based on a patch by Robert Rodewald. (markt)
+ </fix>
+ <fix>
+ <bug>64713</bug>: The JASPIC authenticator now checks the value of
+ <code>jakarta.servlet.http.registerSession</code> set by the
+ <code>ServerAuthModule</code> when decideing whether or nor to register
+ the session. Based on a patch by Robert Rodewald. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
