This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 1ecba14e690cf5f3f143eef6ae7037a6d3c16652 Author: Mark Thomas <ma...@apache.org> AuthorDate: Thu Dec 5 23:25:37 2019 +0000 Refactor so Principal is never cached in session with cache==false --- .../catalina/authenticator/AuthenticatorBase.java | 5 ++-- .../apache/catalina/authenticator/Constants.java | 3 ++ .../catalina/authenticator/FormAuthenticator.java | 33 ++++++---------------- 3 files changed, 15 insertions(+), 26 deletions(-) diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java index b644934..0b63fd9 100644 --- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java +++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java @@ -1133,10 +1133,11 @@ public abstract class AuthenticatorBase extends ValveBase } // Cache the authentication information in our session, if any - if (cache) { - if (session != null) { + if (session != null) { + if (cache) { session.setAuthType(authType); session.setPrincipal(principal); + } else { if (username != null) { session.setNote(Constants.SESS_USERNAME_NOTE, username); } else { diff --git a/java/org/apache/catalina/authenticator/Constants.java b/java/org/apache/catalina/authenticator/Constants.java index 69b6066..9857c09 100644 --- a/java/org/apache/catalina/authenticator/Constants.java +++ b/java/org/apache/catalina/authenticator/Constants.java @@ -77,7 +77,10 @@ public class Constants { /** * The previously authenticated principal (if caching is disabled). + * + * @deprecated Unused. Will be removed in Tomcat 10. */ + @Deprecated public static final String FORM_PRINCIPAL_NOTE = "org.apache.catalina.authenticator.PRINCIPAL"; /** diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java index 9d5e3f8..f326f77 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -132,10 +132,6 @@ public class FormAuthenticator protected boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException { - if (checkForCachedAuthentication(request, response, true)) { - return true; - } - // References to objects we will need later Session session = null; Principal principal = null; @@ -154,9 +150,8 @@ public class FormAuthenticator } principal = context.getRealm().authenticate(username, password); if (principal != null) { - session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); + register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password); if (!matchRequest(request)) { - register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password); return true; } } @@ -173,16 +168,6 @@ public class FormAuthenticator if (log.isDebugEnabled()) { log.debug("Restore request from session '" + session.getIdInternal() + "'"); } - principal = (Principal) session.getNote(Constants.FORM_PRINCIPAL_NOTE); - register(request, response, principal, HttpServletRequest.FORM_AUTH, - (String) session.getNote(Constants.SESS_USERNAME_NOTE), - (String) session.getNote(Constants.SESS_PASSWORD_NOTE)); - // If we're caching principals we no longer need the user name - // and password in the session, so remove them - if (cache) { - session.removeNote(Constants.SESS_USERNAME_NOTE); - session.removeNote(Constants.SESS_PASSWORD_NOTE); - } if (restoreRequest(request, session)) { if (log.isDebugEnabled()) { log.debug("Proceed to restored request"); @@ -197,6 +182,12 @@ public class FormAuthenticator } } + // This check has to be after the previous check for a matching request + // because that matching request may also include a cached Principal. + if (checkForCachedAuthentication(request, response, true)) { + return true; + } + // Acquire references to objects we will need to evaluate String contextPath = request.getContextPath(); String requestURI = request.getDecodedRequestURI(); @@ -283,12 +274,7 @@ public class FormAuthenticator return false; } - // Save the authenticated Principal in our session - session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal); - - // Save the username and password as well - session.setNote(Constants.SESS_USERNAME_NOTE, username); - session.setNote(Constants.SESS_PASSWORD_NOTE, password); + register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password); // Redirect the user to the original request URI (which will cause // the original request to be restored) @@ -489,7 +475,7 @@ public class FormAuthenticator } // Is there a saved principal? - if (session.getNote(Constants.FORM_PRINCIPAL_NOTE) == null) { + if (cache && session.getPrincipal() == null || !cache && request.getPrincipal() == null) { return false; } @@ -519,7 +505,6 @@ public class FormAuthenticator // Retrieve and remove the SavedRequest object from our session SavedRequest saved = (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE); session.removeNote(Constants.FORM_REQUEST_NOTE); - session.removeNote(Constants.FORM_PRINCIPAL_NOTE); if (saved == null) { return false; } --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org