kairosci opened a new pull request, #890:
URL: https://github.com/apache/tomcat/pull/890
This pull request introduces a new boolean attribute,
allowSsoReauthentication, to provide control over the SSO re-authentication
behavior in the SSLAuthenticator.
## Description
The changes include:
* Adding the allowSsoReauthentication attribute to AuthenticatorBase,
along with its corresponding getter and setter methods.
* Updating SSLAuthenticator to use the value of allowSsoReauthentication
when checking for a cached authentication, allowing it to proceed with
re-authentication if enabled.
* Exposing the allowSsoReauthentication attribute in the MBean descriptor
for AuthenticatorBase and SSLAuthenticator, making it configurable at runtime.
By defaulting to false, the existing secure behavior is maintained, while
providing administrators the option to enable it when their security
requirements permit.
## Motivation
The SSLAuthenticator is designed to enforce a higher level of security by
requiring client certificate authentication. As part of this, it currently
prevents re-authentication from an existing Single
Sign-On (SSO) session that may have been established using a weaker
authentication method (e.g., FORM or BASIC).
While this is a secure default, it is not currently configurable. There
are use cases where an administrator may want to allow re-authentication from
an SSO session, even if the original authentication
was weaker, to provide a more seamless user experience. This change
introduces the necessary flexibility to support such scenarios.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
