svn commit: r1417891 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/catalina/authenticator/FormAuthenticator.java webapps/docs/changelog.xml

Thu, 06 Dec 2012 05:59:30 -0800 

Author: kkolinko
Date: Thu Dec  6 13:58:59 2012
New Revision: 1417891

URL: http://svn.apache.org/viewvc?rev=1417891&view=rev
Log:
In FormAuthenticator: If it is configured to change Session IDs,
do the change before displaying the login form.
Modified:
    tomcat/tc6.0.x/trunk/STATUS.txt
    
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1417891&r1=1417890&r2=1417891&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Dec  6 13:58:59 2012
@@ -94,13 +94,6 @@ PATCHES PROPOSED TO BACKPORT:
   +1: kkolinko
   -1:
 
-* In FormAuthenticator: If it is configured to change Session IDs,
-  do the change before displaying the login form.
-  http://svn.apache.org/viewvc?view=revision&revision=1408044
-  (r1408043 in trunk)
-  +1: kkolinko, kfujino, schultz
-  -1:
-
 * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54087
   Correctly handle (ignore) invalid If-Modified-Since
   header rather than throwing an exception.

Modified: 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1417891&r1=1417890&r2=1417891&view=diff
==============================================================================
--- 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
 (original)
+++ 
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
 Thu Dec  6 13:58:59 2012
@@ -31,6 +31,7 @@ import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.catalina.Globals;
+import org.apache.catalina.Manager;
 import org.apache.catalina.Realm;
 import org.apache.catalina.Session;
 import org.apache.catalina.connector.Request;
@@ -322,6 +323,15 @@ public class FormAuthenticator
                     config.getLoginPage(), context.getName()));
         }
 
+        if (getChangeSessionIdOnAuthentication()) {
+            Session session = request.getSessionInternal(false);
+            if (session != null) {
+                Manager manager = request.getContext().getManager();
+                manager.changeSessionId(session);
+                request.changeSessionId(session.getId());
+            }
+        }
+
         // Always use GET for the login page, regardless of the method used
         String oldMethod = request.getCoyoteRequest().method().toString();
         request.getCoyoteRequest().method().setString("GET");

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1417891&r1=1417890&r2=1417891&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Dec  6 13:58:59 2012
@@ -47,6 +47,10 @@
   <subsection name="Catalina">
     <changelog>
       <fix>
+        In FormAuthenticator: If it is configured to change Session IDs,
+        do the change before displaying the login form. (kkolinko)
+      </fix>
+      <fix>
         <bug>54054</bug>: Do not share shell environment variables between
         multiple instances of the CGI servlet. (markt)
       </fix>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to