[jira] [Commented] (FEDIZ-256) Tomcat authenticationSessionTimeout

2023-11-24 Thread Tomas Milian (Jira) 


[ 
https://issues.apache.org/jira/browse/FEDIZ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17789439#comment-17789439
 ] 

Tomas Milian commented on FEDIZ-256:


Hello [~coheigea],

I tested Tomcat 9.0.83 which fixes the authenticationSessionTimeout in 
FromAuthenticator.

Unfortunately Fediz Tomcat plugin still does not recover the original session 
timeout :( 

Sorry I couldn't do any further debugging but from what I've seen 
restoreRequest is never called from FedereationAuthenticator

> Tomcat authenticationSessionTimeout
> ---
>
> Key: FEDIZ-256
> URL: https://issues.apache.org/jira/browse/FEDIZ-256
> Project: CXF-Fediz
>  Issue Type: Bug
>  Components: Plugin
>Affects Versions: 1.6.1
>Reporter: Tomas Milian
>Assignee: Colm O hEigeartaigh
>Priority: Major
>
> Hello,
> I was configuring Fediz 1.6.1 on Tomcat 9.0.74 and found the following issue.
> Tomcat 9.0.74 introduced a new FORM authenticator Valve attribute 
> (authenticationSessionTimeout) that breaks Fediz authentication process.
> {color:#172b4d}Fediz uses FormAuthenticator to save the request, the change 
> introduced in Tomcat 9.0.74 replaces the original session timeout with the 
> authenticationSessionTimeout default value (120 seconds).{color}
> {code:java}
>         if (session instanceof HttpSession && ((HttpSession) 
> session).isNew()) {
>             int originalMaxInactiveInterval = 
> session.getMaxInactiveInterval();
>             if (originalMaxInactiveInterval > 
> getAuthenticationSessionTimeout()) {
>                 
> saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
>                 
> session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
>             }
>         } {code}
> {color:#172b4d}Once the Fediz authentication is resumed, the original session 
> maxInactiveInterval is not restored, so authenticated session always ends up 
> with a 120 second maxInactiveInterval{color}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (FEDIZ-256) Tomcat authenticationSessionTimeout

2023-11-05 Thread Tomas Milian (Jira) 


[ 
https://issues.apache.org/jira/browse/FEDIZ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17783115#comment-17783115
 ] 

Tomas Milian commented on FEDIZ-256:


Thanks I will test it once released and come back to you

> Tomcat authenticationSessionTimeout
> ---
>
> Key: FEDIZ-256
> URL: https://issues.apache.org/jira/browse/FEDIZ-256
> Project: CXF-Fediz
>  Issue Type: Bug
>  Components: Plugin
>Affects Versions: 1.6.1
>Reporter: Tomas Milian
>Assignee: Colm O hEigeartaigh
>Priority: Major
>
> Hello,
> I was configuring Fediz 1.6.1 on Tomcat 9.0.74 and found the following issue.
> Tomcat 9.0.74 introduced a new FORM authenticator Valve attribute 
> (authenticationSessionTimeout) that breaks Fediz authentication process.
> {color:#172b4d}Fediz uses FormAuthenticator to save the request, the change 
> introduced in Tomcat 9.0.74 replaces the original session timeout with the 
> authenticationSessionTimeout default value (120 seconds).{color}
> {code:java}
>         if (session instanceof HttpSession && ((HttpSession) 
> session).isNew()) {
>             int originalMaxInactiveInterval = 
> session.getMaxInactiveInterval();
>             if (originalMaxInactiveInterval > 
> getAuthenticationSessionTimeout()) {
>                 
> saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
>                 
> session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
>             }
>         } {code}
> {color:#172b4d}Once the Fediz authentication is resumed, the original session 
> maxInactiveInterval is not restored, so authenticated session always ends up 
> with a 120 second maxInactiveInterval{color}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (FEDIZ-256) Tomcat authenticationSessionTimeout

2023-11-02 Thread Colm O hEigeartaigh (Jira) 


[ 
https://issues.apache.org/jira/browse/FEDIZ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17782173#comment-17782173
 ] 

Colm O hEigeartaigh commented on FEDIZ-256:
---

We have a new fix in Tomcat - maybe this fixes the problem? 
[https://github.com/apache/tomcat/commit/cd58739d64cba52dfc96a3aba6a180adea1ab020]

 

> Tomcat authenticationSessionTimeout
> ---
>
> Key: FEDIZ-256
> URL: https://issues.apache.org/jira/browse/FEDIZ-256
> Project: CXF-Fediz
>  Issue Type: Bug
>  Components: Plugin
>Affects Versions: 1.6.1
>Reporter: Tomas Milian
>Assignee: Colm O hEigeartaigh
>Priority: Major
>
> Hello,
> I was configuring Fediz 1.6.1 on Tomcat 9.0.74 and found the following issue.
> Tomcat 9.0.74 introduced a new FORM authenticator Valve attribute 
> (authenticationSessionTimeout) that breaks Fediz authentication process.
> {color:#172b4d}Fediz uses FormAuthenticator to save the request, the change 
> introduced in Tomcat 9.0.74 replaces the original session timeout with the 
> authenticationSessionTimeout default value (120 seconds).{color}
> {code:java}
>         if (session instanceof HttpSession && ((HttpSession) 
> session).isNew()) {
>             int originalMaxInactiveInterval = 
> session.getMaxInactiveInterval();
>             if (originalMaxInactiveInterval > 
> getAuthenticationSessionTimeout()) {
>                 
> saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
>                 
> session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
>             }
>         } {code}
> {color:#172b4d}Once the Fediz authentication is resumed, the original session 
> maxInactiveInterval is not restored, so authenticated session always ends up 
> with a 120 second maxInactiveInterval{color}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)