Author: markt Date: Mon Mar 6 20:46:44 2017 New Revision: 1785762 URL: http://svn.apache.org/viewvc?rev=1785762&view=rev Log: Correctly cache the Subject in the session - if there is a session - when running under a SecurityManager. Patch provided by Jan Engehausen.
Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=1785762&r1=1785761&r2=1785762&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original) +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Mon Mar 6 20:46:44 2017 @@ -1865,24 +1865,35 @@ public class Request implements HttpServ * * @param principal The user Principal */ - public void setUserPrincipal(Principal principal) { - - if (Globals.IS_SECURITY_ENABLED){ - HttpSession session = getSession(false); - if ( (subject != null) && - (!subject.getPrincipals().contains(principal)) ){ - subject.getPrincipals().add(principal); - } else if (session != null && - session.getAttribute(Globals.SUBJECT_ATTR) == null) { - subject = new Subject(); + public void setUserPrincipal(final Principal principal) { + if (Globals.IS_SECURITY_ENABLED) { + if (subject == null) { + final HttpSession session = getSession(false); + if (session == null) { + // Cache the subject in the request + subject = newSubject(principal); + } else { + // Cache the subject in the request and the session + subject = (Subject) session.getAttribute(Globals.SUBJECT_ATTR); + if (subject == null) { + subject = newSubject(principal); + session.setAttribute(Globals.SUBJECT_ATTR, subject); + } else { + subject.getPrincipals().add(principal); + } + } + } else { subject.getPrincipals().add(principal); } - if (session != null){ - session.setAttribute(Globals.SUBJECT_ATTR, subject); - } } + userPrincipal = principal; + } + - this.userPrincipal = principal; + private Subject newSubject(final Principal principal) { + final Subject result = new Subject(); + result.getPrincipals().add(principal); + return result; } Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1785762&r1=1785761&r2=1785762&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Mon Mar 6 20:46:44 2017 @@ -162,6 +162,11 @@ <code>ServletRequest.getParameterMap()</code> is fully immutable. Based on a patch provided by woosan. (markt) </fix> + <fix> + <bug>60824</bug>: Correctly cache the <code>Subject</code> in the + session - if there is a session - when running under a + <code>SecurityManager</code>. Patch provided by Jan Engehausen. (markt) + </fix> </changelog> </subsection> <subsection name="Coyote"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org