Author: markt
Date: Fri Sep 3 16:56:30 2010
New Revision: 992373
URL: http://svn.apache.org/viewvc?rev=992373&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49749
Add httpOnly support to SSO cookie
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=992373&r1=992372&r2=992373&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Fri Sep 3 16:56:30 2010
@@ -66,15 +66,3 @@ PATCHES PROPOSED TO BACKPORT:
-- see attachment 25657 in BZ 49521, but I do not think that it is worth it.)
jim: Also not comfortable with such a change this late in the game
regarding default behavior of a stable branch.
-
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49749
- Add httpOnly support to SSO cookie
- http://people.apache.org/~markt/patches/2010-08-25-bug49749.patch
- +1: markt, rjung
- -1:
- +1: kkolinko: Looking for usages of Constants.SINGLE_SIGN_ON_COOKIE,
- in SingleSignOn.invoke() there is one more call to response.addCookie().
- It is used to remove the cookie, so I think HttpOnly is not important
there
- and thus I am letting this pass. The SingleSignOn valve is usually added
to
- a <Host> (looking at the default server.xml), so we have to call
- request.getContext() to get a Context there?
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=992373&r1=992372&r2=992373&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
Fri Sep 3 16:56:30 2010
@@ -800,7 +800,7 @@ public abstract class AuthenticatorBase
cookie.setDomain(ssoDomain);
}
- response.addCookie(cookie);
+ response.addCookieInternal(cookie, context.getUseHttpOnly());
// Register this principal with our SSO valve
sso.register(ssoId, principal, authType, username, password);
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=992373&r1=992372&r2=992373&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Fri Sep 3
16:56:30 2010
@@ -57,6 +57,10 @@
Return a copy of the URL being used from the webapp class loader, not
the original array. (kkolinko/markt)
</fix>
+ <fix>
+ <bug>49749</bug>: Use HttpOnly flag of current context when genrating
+ a Single-Sign-On cookie. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
