[
https://issues.apache.org/jira/browse/FEDIZ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed FEDIZ-256.
-------------------------------------
> Tomcat authenticationSessionTimeout
> -----------------------------------
>
> Key: FEDIZ-256
> URL: https://issues.apache.org/jira/browse/FEDIZ-256
> Project: CXF-Fediz
> Issue Type: Bug
> Components: Plugin
> Affects Versions: 1.6.1
> Reporter: Tomas Milian
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Fix For: 1.6.2
>
>
> Hello,
> I was configuring Fediz 1.6.1 on Tomcat 9.0.74 and found the following issue.
> Tomcat 9.0.74 introduced a new FORM authenticator Valve attribute
> (authenticationSessionTimeout) that breaks Fediz authentication process.
> {color:#172b4d}Fediz uses FormAuthenticator to save the request, the change
> introduced in Tomcat 9.0.74 replaces the original session timeout with the
> authenticationSessionTimeout default value (120 seconds).{color}
> {code:java}
> if (session instanceof HttpSession && ((HttpSession)
> session).isNew()) {
> int originalMaxInactiveInterval =
> session.getMaxInactiveInterval();
> if (originalMaxInactiveInterval >
> getAuthenticationSessionTimeout()) {
>
> saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
>
> session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
> }
> } {code}
> {color:#172b4d}Once the Fediz authentication is resumed, the original session
> maxInactiveInterval is not restored, so authenticated session always ends up
> with a 120 second maxInactiveInterval{color}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
