пт, 28 февр. 2020 г. в 17:18, <ma...@apache.org>: > > This is an automated email from the ASF dual-hosted git repository. > > markt pushed a commit to branch master > in repository https://gitbox.apache.org/repos/asf/tomcat.git > > > The following commit(s) were added to refs/heads/master by this push: > new 20a830c Add an option to persist authentication information with > the session > 20a830c is described below > > commit 20a830c6a520922aee47416c129d322e662bfd44 > Author: Carsten Klein <c.kl...@datagis.com> > AuthorDate: Wed Feb 19 09:01:04 2020 +0100 > > Add an option to persist authentication information with the session > > Patch provided by Carsten Klein. > ---
[...] > diff --git a/webapps/docs/config/manager.xml b/webapps/docs/config/manager.xml > index 821085e..7bcb4df 100644 > --- a/webapps/docs/config/manager.xml > +++ b/webapps/docs/config/manager.xml > @@ -122,6 +122,40 @@ > enabled by setting this attribute to a non empty string.</p> > </attribute> > > + <attribute name="persistAuthentication" required="false"> > + <p>Should authentication information be included when session state > is > + preserved across application restarts? If <code>true</code>, the > session's > + authentication is preserved so that the session remains authenticated > + after the application has been restarted. If not specified, the > default > + value of <code>false</code> will be used.<br />See > + <a href="#Persistence_Across_Restarts">Persistence Across > Restarts</a> > + for more information.</p> > + > + <p>Please note that the session's <code>Principal</code> class as > well > + as its descendant classes are all subject to the > + <strong>sessionAttributeValueClassNameFilter</strong>. If such a > filter > + is specified or a <code>SecurityManager</code> is enabled, the names > of > + the <code>Principal</code> class and descendant classes must match > that > + filter pattern in order to be restored.</p> > + </attribute> > + > + <attribute name="persistAuthentication" required="false"> > + <p>Should authentication information be included when session state > is > + preserved across application restarts? If <code>true</code>, the > session's > + authentication is preserved so that the session remains authenticated > + after the application has been restarted. If not specified, the > default > + value of <code>false</code> will be used.<br />See > + <a href="#Persistence_Across_Restarts">Persistence Across > Restarts</a> > + for more information.</p> > + > + <p>Please note that the session's <code>Principal</code> class as > well > + as its descendant classes are all subject to the > + <strong>sessionAttributeValueClassNameFilter</strong>. If such a > filter > + is specified or a <code>SecurityManager</code> is enabled, the names > of > + the <code>Principal</code> class and descendant classes must match > that > + filter pattern in order to be restored.</p> > + </attribute> > + 1). The diff block above - the same attribute is documented twice? 2). I think that this attribute should be mentioned in security-howto. > <attribute name="processExpiresFrequency" required="false"> > <p>Frequency of the session expiration, and related manager > operations. > Manager operations will be done once for the specified amount of > @@ -178,7 +212,7 @@ > must fully match the pattern. If not specified, the default value of > <code>null</code> will be used unless a <code>SecurityManager</code> > is > enabled in which case the default will be > - > <code>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)</code>.</p> > + > <code><nobr>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)|org\\.apache\\.catalina\\.realm\\.GenericPrincipal\\$SerializablePrincipal|\\[Ljava.lang.String;</nobr></code>.</p> 3). Why force a <nobr> here? I think this will make documentation less readable. > </attribute> > > <attribute name="warnOnSessionAttributeFilterFailure" required="false"> > @@ -249,6 +283,21 @@ > By default, this value is set to <code>-1</code>.</p> > </attribute> > > + <attribute name="persistAuthentication" required="false"> > + <p>Should authentication information be included when sessions are > + swapped out to persistent storage? If <code>true</code>, the > session's > + authentication is preserved so that the session remains authenticated > + after being reloaded (swapped in) from persistent storage. If not > + specified, the default value of <code>false</code> will be used.</p> > + > + <p>Please note that the session's <code>Principal</code> class as > well > + as its descendant classes are all subject to the > + <strong>sessionAttributeValueClassNameFilter</strong>. If such a > filter > + is specified or a <code>SecurityManager</code> is enabled, the names > of > + the <code>Principal</code> class and descendant classes must match > that > + filter pattern in order to be restored.</p> > + </attribute> > + > <attribute name="processExpiresFrequency" required="false"> > <p>It is the same as described above for the > <code>org.apache.catalina.session.StandardManager</code> class. > @@ -301,7 +350,7 @@ > must fully match the pattern. If not specified, the default value of > <code>null</code> will be used unless a <code>SecurityManager</code> > is > enabled in which case the default will be > - > <code>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)</code>.</p> > + > <code><nobr>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)|org\\.apache\\.catalina\\.realm\\.GenericPrincipal\\$SerializablePrincipal|\\[Ljava.lang.String;</nobr></code>.</p> > </attribute> 4). The same <nobr> question here. > > <attribute name="warnOnSessionAttributeFilterFailure" required="false"> > @@ -546,6 +595,15 @@ > including the <code><distributable></code> element in your web > application deployment descriptor (<code>/WEB-INF/web.xml</code>).</p> > > + <p>Note that, if <strong>persistAuthentication</strong> is also set to > + <code>true</code>, the <code>Principal</code> class present in the > session > + MUST also implement the <code>java.io.Serializable</code> interface in > order > + to make authentication persistence work properly. The actual type of that > + <code>Principal</code> class is determined by the <a href="realm.html"> > + Realm</a> implementation used with the application. Tomcat's standard > + <code>Principal</code> class instantiated by most of the Realms (except > + <code>JAASRealm</code>) implements <code>java.io.Serializable</code>.</p> > + > <p>The persistence across restarts provided by the > <strong>StandardManager</strong> is a simpler implementation than that > provided by the <strong>PersistentManager</strong>. If robust, production > 5). In one of source files: (copy-pasting a previous fragment from the diff): + /** + * Return whether authentication information shall be persisted or not. + * + * @return {@code true}, if authentication information shall be persisted; + * {@code false} otherwise + */ + private boolean isPersistAuthentication() { + if (manager instanceof ManagerBase) { + return ((ManagerBase) manager).getPersistAuthentication(); + } + return false; + } 5). Why the getter names are inconsistent? Here "isPersistAuthentication()" is implemented as a call to "getPersistAuthentication()". Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org