[ 
https://issues.apache.org/jira/browse/FEDIZ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved FEDIZ-256.
---------------------------------------
    Resolution: Fixed

> Tomcat authenticationSessionTimeout
> -----------------------------------
>
>                 Key: FEDIZ-256
>                 URL: https://issues.apache.org/jira/browse/FEDIZ-256
>             Project: CXF-Fediz
>          Issue Type: Bug
>          Components: Plugin
>    Affects Versions: 1.6.1
>            Reporter: Tomas Milian
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: 1.6.2
>
>
> Hello,
> I was configuring Fediz 1.6.1 on Tomcat 9.0.74 and found the following issue.
> Tomcat 9.0.74 introduced a new FORM authenticator Valve attribute 
> (authenticationSessionTimeout) that breaks Fediz authentication process.
> {color:#172b4d}Fediz uses FormAuthenticator to save the request, the change 
> introduced in Tomcat 9.0.74 replaces the original session timeout with the 
> authenticationSessionTimeout default value (120 seconds).{color}
> {code:java}
>         if (session instanceof HttpSession && ((HttpSession) 
> session).isNew()) {
>             int originalMaxInactiveInterval = 
> session.getMaxInactiveInterval();
>             if (originalMaxInactiveInterval > 
> getAuthenticationSessionTimeout()) {
>                 
> saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
>                 
> session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
>             }
>         } {code}
> {color:#172b4d}Once the Fediz authentication is resumed, the original session 
> maxInactiveInterval is not restored, so authenticated session always ends up 
> with a 120 second maxInactiveInterval{color}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to