[
https://issues.apache.org/jira/browse/FEDIZ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tomas Milian updated FEDIZ-256:
-------------------------------
Description:
Hello,
I was configuring Fediz 1.6.1 on Tomcat 9.0.74 and found the following issue.
Tomcat 9.0.74 introduced a new FORM authenticator Valve attribute
(authenticationSessionTimeout) that breaks Fediz authentication process.
{color:#172b4d}Fediz uses FormAuthenticator to save the request, the change
introduced in Tomcat 9.0.74 replaces the original session timeout with the
authenticationSessionTimeout default value (120 seconds).{color}
{code:java}
if (session instanceof HttpSession && ((HttpSession) session).isNew()) {
int originalMaxInactiveInterval = session.getMaxInactiveInterval();
if (originalMaxInactiveInterval >
getAuthenticationSessionTimeout()) {
saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
}
} {code}
{color:#172b4d}Once the Fediz authentication is resumed, the session
maxInactiveInterval is not restored, so authenticated session always ends up
with a 120 second maxInactiveInterval{color}
was:
Hello,
I was configuring Fediz 1.6.1 on Tomcat 9.0.74 and found the following issue.
Tomcat 9.0.74 introduced a new FORM authenticator Valve attribute
(authenticationSessionTimeout) that breaks Fediz authentication process.
{color:#172b4d}Fediz uses FormAuthenticator to save the request, the change
introduced in Tomcat 9.0.74 replaces the original session timeout with the
authenticationSessionTimeout default value (120 seconds).{color}
{code:java}
if (session instanceof HttpSession && ((HttpSession) session).isNew()) {
int originalMaxInactiveInterval = session.getMaxInactiveInterval();
if (originalMaxInactiveInterval >
getAuthenticationSessionTimeout()) {
saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
}
} {code}
{color:#172b4d}Once the Fediz authentication is resumed, the session
maxIncactiveInterval is not restored, so authenticated session always ends up
with a 120 second maxInactiveInterval{color}
> Tomcat authenticationSessionTimeout
> -----------------------------------
>
> Key: FEDIZ-256
> URL: https://issues.apache.org/jira/browse/FEDIZ-256
> Project: CXF-Fediz
> Issue Type: Bug
> Components: Plugin
> Affects Versions: 1.6.1
> Reporter: Tomas Milian
> Priority: Major
>
> Hello,
> I was configuring Fediz 1.6.1 on Tomcat 9.0.74 and found the following issue.
> Tomcat 9.0.74 introduced a new FORM authenticator Valve attribute
> (authenticationSessionTimeout) that breaks Fediz authentication process.
> {color:#172b4d}Fediz uses FormAuthenticator to save the request, the change
> introduced in Tomcat 9.0.74 replaces the original session timeout with the
> authenticationSessionTimeout default value (120 seconds).{color}
> {code:java}
> if (session instanceof HttpSession && ((HttpSession)
> session).isNew()) {
> int originalMaxInactiveInterval =
> session.getMaxInactiveInterval();
> if (originalMaxInactiveInterval >
> getAuthenticationSessionTimeout()) {
>
> saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
>
> session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
> }
> } {code}
> {color:#172b4d}Once the Fediz authentication is resumed, the session
> maxInactiveInterval is not restored, so authenticated session always ends up
> with a 120 second maxInactiveInterval{color}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
