[jira] [Commented] (FEDIZ-256) Tomcat authenticationSessionTimeout
[ https://issues.apache.org/jira/browse/FEDIZ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17789439#comment-17789439 ] Tomas Milian commented on FEDIZ-256: Hello [~coheigea], I tested Tomcat 9.0.83 which fixes the authenticationSessionTimeout in FromAuthenticator. Unfortunately Fediz Tomcat plugin still does not recover the original session timeout :( Sorry I couldn't do any further debugging but from what I've seen restoreRequest is never called from FedereationAuthenticator > Tomcat authenticationSessionTimeout > --- > > Key: FEDIZ-256 > URL: https://issues.apache.org/jira/browse/FEDIZ-256 > Project: CXF-Fediz > Issue Type: Bug > Components: Plugin >Affects Versions: 1.6.1 >Reporter: Tomas Milian >Assignee: Colm O hEigeartaigh >Priority: Major > > Hello, > I was configuring Fediz 1.6.1 on Tomcat 9.0.74 and found the following issue. > Tomcat 9.0.74 introduced a new FORM authenticator Valve attribute > (authenticationSessionTimeout) that breaks Fediz authentication process. > {color:#172b4d}Fediz uses FormAuthenticator to save the request, the change > introduced in Tomcat 9.0.74 replaces the original session timeout with the > authenticationSessionTimeout default value (120 seconds).{color} > {code:java} > if (session instanceof HttpSession && ((HttpSession) > session).isNew()) { > int originalMaxInactiveInterval = > session.getMaxInactiveInterval(); > if (originalMaxInactiveInterval > > getAuthenticationSessionTimeout()) { > > saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval); > > session.setMaxInactiveInterval(getAuthenticationSessionTimeout()); > } > } {code} > {color:#172b4d}Once the Fediz authentication is resumed, the original session > maxInactiveInterval is not restored, so authenticated session always ends up > with a 120 second maxInactiveInterval{color} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (FEDIZ-256) Tomcat authenticationSessionTimeout
[ https://issues.apache.org/jira/browse/FEDIZ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17783115#comment-17783115 ] Tomas Milian commented on FEDIZ-256: Thanks I will test it once released and come back to you > Tomcat authenticationSessionTimeout > --- > > Key: FEDIZ-256 > URL: https://issues.apache.org/jira/browse/FEDIZ-256 > Project: CXF-Fediz > Issue Type: Bug > Components: Plugin >Affects Versions: 1.6.1 >Reporter: Tomas Milian >Assignee: Colm O hEigeartaigh >Priority: Major > > Hello, > I was configuring Fediz 1.6.1 on Tomcat 9.0.74 and found the following issue. > Tomcat 9.0.74 introduced a new FORM authenticator Valve attribute > (authenticationSessionTimeout) that breaks Fediz authentication process. > {color:#172b4d}Fediz uses FormAuthenticator to save the request, the change > introduced in Tomcat 9.0.74 replaces the original session timeout with the > authenticationSessionTimeout default value (120 seconds).{color} > {code:java} > if (session instanceof HttpSession && ((HttpSession) > session).isNew()) { > int originalMaxInactiveInterval = > session.getMaxInactiveInterval(); > if (originalMaxInactiveInterval > > getAuthenticationSessionTimeout()) { > > saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval); > > session.setMaxInactiveInterval(getAuthenticationSessionTimeout()); > } > } {code} > {color:#172b4d}Once the Fediz authentication is resumed, the original session > maxInactiveInterval is not restored, so authenticated session always ends up > with a 120 second maxInactiveInterval{color} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (FEDIZ-256) Tomcat authenticationSessionTimeout
[ https://issues.apache.org/jira/browse/FEDIZ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17782173#comment-17782173 ] Colm O hEigeartaigh commented on FEDIZ-256: --- We have a new fix in Tomcat - maybe this fixes the problem? [https://github.com/apache/tomcat/commit/cd58739d64cba52dfc96a3aba6a180adea1ab020] > Tomcat authenticationSessionTimeout > --- > > Key: FEDIZ-256 > URL: https://issues.apache.org/jira/browse/FEDIZ-256 > Project: CXF-Fediz > Issue Type: Bug > Components: Plugin >Affects Versions: 1.6.1 >Reporter: Tomas Milian >Assignee: Colm O hEigeartaigh >Priority: Major > > Hello, > I was configuring Fediz 1.6.1 on Tomcat 9.0.74 and found the following issue. > Tomcat 9.0.74 introduced a new FORM authenticator Valve attribute > (authenticationSessionTimeout) that breaks Fediz authentication process. > {color:#172b4d}Fediz uses FormAuthenticator to save the request, the change > introduced in Tomcat 9.0.74 replaces the original session timeout with the > authenticationSessionTimeout default value (120 seconds).{color} > {code:java} > if (session instanceof HttpSession && ((HttpSession) > session).isNew()) { > int originalMaxInactiveInterval = > session.getMaxInactiveInterval(); > if (originalMaxInactiveInterval > > getAuthenticationSessionTimeout()) { > > saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval); > > session.setMaxInactiveInterval(getAuthenticationSessionTimeout()); > } > } {code} > {color:#172b4d}Once the Fediz authentication is resumed, the original session > maxInactiveInterval is not restored, so authenticated session always ends up > with a 120 second maxInactiveInterval{color} -- This message was sent by Atlassian Jira (v8.20.10#820010)