This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new 2b03b7f29c Preparation for fixing BZ 66120
2b03b7f29c is described below
commit 2b03b7f29c6f0e1cde0fbc58db571ec79aeda222
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Aug 22 08:43:11 2022 +0100
Preparation for fixing BZ 66120
https://bz.apache.org/bugzilla/show_bug.cgi?id=66120
Once BZ 66120 is fixed, the session note that holds the current session
ID during FORM authentication will be replicated across the cluster. If
failover occurs during FORM authentication, this note also needs to be
updated.
This change is a NO-OP until the fix for BZ 66120 is committed.
---
.../catalina/ha/session/JvmRouteBinderValve.java | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
b/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
index c777d3e783..637d3a1dee 100644
--- a/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
+++ b/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
@@ -24,6 +24,7 @@ import org.apache.catalina.Cluster;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Manager;
import org.apache.catalina.Session;
+import org.apache.catalina.authenticator.Constants;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.ha.CatalinaCluster;
@@ -327,6 +328,7 @@ public class JvmRouteBinderValve extends ValveBase
implements ClusterValve {
fireLifecycleEvent("Before session migration", catalinaSession);
catalinaSession.getManager().changeSessionId(catalinaSession,
newSessionID);
changeRequestSessionID(request, sessionId, newSessionID);
+ changeSessionAuthenticationNote(sessionId, newSessionID,
catalinaSession);
fireLifecycleEvent("After session migration", catalinaSession);
if (log.isDebugEnabled()) {
log.debug(sm.getString("jvmRoute.changeSession", sessionId,
@@ -356,6 +358,23 @@ public class JvmRouteBinderValve extends ValveBase
implements ClusterValve {
}
+ /**
+ * Change the current session ID that is stored in a session note during
+ * authentication. It is part of the CSRF protection.
+ *
+ * @param sessionId The original session ID
+ * @param newSessionID The new session ID for node migration
+ * @param catalinaSession The session object (that will be using the new
+ * session ID at the point this method is
+ * called)
+ */
+ protected void changeSessionAuthenticationNote(String sessionId, String
newSessionID, Session catalinaSession) {
+ if
(sessionId.equals(catalinaSession.getNote(Constants.SESSION_ID_NOTE))) {
+ catalinaSession.setNote(Constants.SESSION_ID_NOTE, newSessionID);
+ }
+ }
+
+
/**
* Start this component and implement the requirements
* of {@link org.apache.catalina.util.LifecycleBase#startInternal()}.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
