пт, 28 февр. 2020 г. в 17:18, <ma...@apache.org>:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> markt pushed a commit to branch master
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
>
> The following commit(s) were added to refs/heads/master by this push:
> new 20a830c Add an option to persist authentication information with
> the session
> 20a830c is described below
>
> commit 20a830c6a520922aee47416c129d322e662bfd44
> Author: Carsten Klein <c.kl...@datagis.com>
> AuthorDate: Wed Feb 19 09:01:04 2020 +0100
>
> Add an option to persist authentication information with the session
>
> Patch provided by Carsten Klein.
> ---
[...]
> diff --git a/webapps/docs/config/manager.xml b/webapps/docs/config/manager.xml
> index 821085e..7bcb4df 100644
> --- a/webapps/docs/config/manager.xml
> +++ b/webapps/docs/config/manager.xml
> @@ -122,6 +122,40 @@
> enabled by setting this attribute to a non empty string.</p>
> </attribute>
>
> + <attribute name="persistAuthentication" required="false">
> + <p>Should authentication information be included when session state
> is
> + preserved across application restarts? If <code>true</code>, the
> session's
> + authentication is preserved so that the session remains authenticated
> + after the application has been restarted. If not specified, the
> default
> + value of <code>false</code> will be used.<br />See
> + <a href="#Persistence_Across_Restarts">Persistence Across
> Restarts</a>
> + for more information.</p>
> +
> + <p>Please note that the session's <code>Principal</code> class as
> well
> + as its descendant classes are all subject to the
> + <strong>sessionAttributeValueClassNameFilter</strong>. If such a
> filter
> + is specified or a <code>SecurityManager</code> is enabled, the names
> of
> + the <code>Principal</code> class and descendant classes must match
> that
> + filter pattern in order to be restored.</p>
> + </attribute>
> +
> + <attribute name="persistAuthentication" required="false">
> + <p>Should authentication information be included when session state
> is
> + preserved across application restarts? If <code>true</code>, the
> session's
> + authentication is preserved so that the session remains authenticated
> + after the application has been restarted. If not specified, the
> default
> + value of <code>false</code> will be used.<br />See
> + <a href="#Persistence_Across_Restarts">Persistence Across
> Restarts</a>
> + for more information.</p>
> +
> + <p>Please note that the session's <code>Principal</code> class as
> well
> + as its descendant classes are all subject to the
> + <strong>sessionAttributeValueClassNameFilter</strong>. If such a
> filter
> + is specified or a <code>SecurityManager</code> is enabled, the names
> of
> + the <code>Principal</code> class and descendant classes must match
> that
> + filter pattern in order to be restored.</p>
> + </attribute>
> +
1). The diff block above - the same attribute is documented twice?
2). I think that this attribute should be mentioned in security-howto.
> <attribute name="processExpiresFrequency" required="false">
> <p>Frequency of the session expiration, and related manager
> operations.
> Manager operations will be done once for the specified amount of
> @@ -178,7 +212,7 @@
> must fully match the pattern. If not specified, the default value of
> <code>null</code> will be used unless a <code>SecurityManager</code>
> is
> enabled in which case the default will be
> -
> <code>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)</code>.</p>
> +
> <code><nobr>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)|org\\.apache\\.catalina\\.realm\\.GenericPrincipal\\$SerializablePrincipal|\\[Ljava.lang.String;</nobr></code>.</p>
3). Why force a <nobr> here? I think this will make documentation less readable.
> </attribute>
>
> <attribute name="warnOnSessionAttributeFilterFailure" required="false">
> @@ -249,6 +283,21 @@
> By default, this value is set to <code>-1</code>.</p>
> </attribute>
>
> + <attribute name="persistAuthentication" required="false">
> + <p>Should authentication information be included when sessions are
> + swapped out to persistent storage? If <code>true</code>, the
> session's
> + authentication is preserved so that the session remains authenticated
> + after being reloaded (swapped in) from persistent storage. If not
> + specified, the default value of <code>false</code> will be used.</p>
> +
> + <p>Please note that the session's <code>Principal</code> class as
> well
> + as its descendant classes are all subject to the
> + <strong>sessionAttributeValueClassNameFilter</strong>. If such a
> filter
> + is specified or a <code>SecurityManager</code> is enabled, the names
> of
> + the <code>Principal</code> class and descendant classes must match
> that
> + filter pattern in order to be restored.</p>
> + </attribute>
> +
> <attribute name="processExpiresFrequency" required="false">
> <p>It is the same as described above for the
> <code>org.apache.catalina.session.StandardManager</code> class.
> @@ -301,7 +350,7 @@
> must fully match the pattern. If not specified, the default value of
> <code>null</code> will be used unless a <code>SecurityManager</code>
> is
> enabled in which case the default will be
> -
> <code>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)</code>.</p>
> +
> <code><nobr>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)|org\\.apache\\.catalina\\.realm\\.GenericPrincipal\\$SerializablePrincipal|\\[Ljava.lang.String;</nobr></code>.</p>
> </attribute>
4). The same <nobr> question here.
>
> <attribute name="warnOnSessionAttributeFilterFailure" required="false">
> @@ -546,6 +595,15 @@
> including the <code><distributable></code> element in your web
> application deployment descriptor (<code>/WEB-INF/web.xml</code>).</p>
>
> + <p>Note that, if <strong>persistAuthentication</strong> is also set to
> + <code>true</code>, the <code>Principal</code> class present in the
> session
> + MUST also implement the <code>java.io.Serializable</code> interface in
> order
> + to make authentication persistence work properly. The actual type of that
> + <code>Principal</code> class is determined by the <a href="realm.html">
> + Realm</a> implementation used with the application. Tomcat's standard
> + <code>Principal</code> class instantiated by most of the Realms (except
> + <code>JAASRealm</code>) implements <code>java.io.Serializable</code>.</p>
> +
> <p>The persistence across restarts provided by the
> <strong>StandardManager</strong> is a simpler implementation than that
> provided by the <strong>PersistentManager</strong>. If robust, production
>
5). In one of source files: (copy-pasting a previous fragment from the diff):
+ /**
+ * Return whether authentication information shall be persisted or not.
+ *
+ * @return {@code true}, if authentication information shall be persisted;
+ * {@code false} otherwise
+ */
+ private boolean isPersistAuthentication() {
+ if (manager instanceof ManagerBase) {
+ return ((ManagerBase) manager).getPersistAuthentication();
+ }
+ return false;
+ }
5). Why the getter names are inconsistent?
Here "isPersistAuthentication()" is implemented as a call to
"getPersistAuthentication()".
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
