(tomcat) branch 9.0.x updated: Fix saved request serialization issue in FORM

remm Thu, 05 Jun 2025 01:57:29 -0700

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/9.0.x by this push:
     new 36b0ec4a15 Fix saved request serialization issue in FORM
36b0ec4a15 is described below

commit 36b0ec4a153893fee7912a8dc3a68de83caaeba2
Author: remm <[email protected]>
AuthorDate: Thu Jun 5 10:38:38 2025 +0200

    Fix saved request serialization issue in FORM
    
    Introduced when allowing infinite session timeouts.
    BZ69706
---
 java/org/apache/catalina/authenticator/FormAuthenticator.java | 8 ++++----
 java/org/apache/catalina/authenticator/SavedRequest.java      | 9 ++++-----
 webapps/docs/changelog.xml                                    | 4 ++++
 3 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java 
b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index 35b34b83d1..ee45eb0af8 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -646,8 +646,8 @@ public class FormAuthenticator extends AuthenticatorBase {
         request.getCoyoteRequest().queryString().toStringType();
         request.getCoyoteRequest().protocol().toStringType();
 
-        if (saved.getOriginalMaxInactiveIntervalOptional().isPresent()) {
-            
session.setMaxInactiveInterval(saved.getOriginalMaxInactiveIntervalOptional().getAsInt());
+        if (saved.getOriginalMaxInactiveIntervalOptional() != null) {
+            
session.setMaxInactiveInterval(saved.getOriginalMaxInactiveIntervalOptional().intValue());
         }
 
         return true;
@@ -724,14 +724,14 @@ public class FormAuthenticator extends AuthenticatorBase {
                     
session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
                 }
             } else if (previousSavedRequest != null &&
-                    
previousSavedRequest.getOriginalMaxInactiveIntervalOptional().isPresent()) {
+                    
previousSavedRequest.getOriginalMaxInactiveIntervalOptional() != null) {
                 /*
                  * The user may have refreshed the browser page during 
authentication. Transfer the original max inactive
                  * interval from previous saved request to current one else, 
once authentication is completed, the session
                  * will retain the shorter authentication session timeout
                  */
                 saved.setOriginalMaxInactiveInterval(
-                        
previousSavedRequest.getOriginalMaxInactiveIntervalOptional().getAsInt());
+                        
previousSavedRequest.getOriginalMaxInactiveIntervalOptional().intValue());
             }
         }
 
diff --git a/java/org/apache/catalina/authenticator/SavedRequest.java 
b/java/org/apache/catalina/authenticator/SavedRequest.java
index f5d6f26a2c..af6958a0f4 100644
--- a/java/org/apache/catalina/authenticator/SavedRequest.java
+++ b/java/org/apache/catalina/authenticator/SavedRequest.java
@@ -24,7 +24,6 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
-import java.util.OptionalInt;
 
 import javax.servlet.http.Cookie;
 
@@ -182,9 +181,9 @@ public final class SavedRequest implements Serializable {
     /**
      * The original maxInactiveInterval for the session.
      */
-    private OptionalInt originalMaxInactiveInterval = OptionalInt.empty();
+    private Integer originalMaxInactiveInterval = null;
 
-    public OptionalInt getOriginalMaxInactiveIntervalOptional() {
+    public Integer getOriginalMaxInactiveIntervalOptional() {
         return originalMaxInactiveInterval;
     }
 
@@ -198,10 +197,10 @@ public final class SavedRequest implements Serializable {
      */
     @Deprecated
     public int getOriginalMaxInactiveInterval() {
-        return originalMaxInactiveInterval.orElse(-1);
+        return (originalMaxInactiveInterval == null) ? -1 : 
originalMaxInactiveInterval.intValue();
     }
 
     public void setOriginalMaxInactiveInterval(int 
originalMaxInactiveInterval) {
-        this.originalMaxInactiveInterval = 
OptionalInt.of(originalMaxInactiveInterval);
+        this.originalMaxInactiveInterval = 
Integer.valueOf(originalMaxInactiveInterval);
     }
 }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e64f0d88a2..1c24171b84 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -131,6 +131,10 @@
         rewrite map files to align behaviour with Apache httpd. Pull request
         provided by Chenjp. (markt)
       </add>
+      <fix>
+        <bug>69706</bug>: Fix saved request serialization issue in FORM
+        introduced when allowing infinite session timeouts. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(tomcat) branch 9.0.x updated: Fix saved request serialization issue in FORM

Reply via email to