Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java SSLAuthentic

2003-11-24 Thread Brian Stansberry 
At 08:21 PM 11/24/2003 +0100, Remy wrote:
>Brian Stansberry wrote:
>>At 11:56 AM 11/24/2003 -0600, Luke Nelson wrote:
>>
>>>I have tried applying the patch, and I found three problems with
>>>it. First, its removal of a session from the SingleSignOnEntry
>>>object causes an IndexOutOfBounds exception.  Second, the method
>>>for determining whether the user explicitly logged out or whether a
>>>session timed out doesn't scale one of the numbers correctly (i.e.
>>>comparing millisecond values to seconds).  I have fixed the patch,
>>>but I don't have a diff of it yet (I'm new to helping with this
>>>project).  Finally, the patch doesn't synchronize on 'reverse' when
>>>removing an entry from it.
>>
>>I also looked at the code for StandardSession.getLastAccessedTime()
>>and it looks as if it will throw an IllegalStateException if the
>>session is expired.  So that would break the algorithm used in the
>>9077 patch.
>>BTW, the javadoc for javax.servlet.http.HttpSession doesn't specify
>>throwing an IllegalStateException for a call to
>>getLastAccessedTime().  It looks as if the exception throw  was added
>>in response to bug 15967, which stated that the javadoc does specify
>>the exception, but I'm looking at the javadoc for both Servlet 2.3
>>and 2.4, and in both cases it's not specified.
>
>Can you address those issues ASAP ? (incl the array out of bounds and the sync issue)

Sure; I'm starting on it now.  However, Jean-Francois found a HttpSession javadoc that 
specifies throwing an IllegalStateException in getLastAccessedTime().  If that is in 
the final spec, the 9077 patch algorithm will not work.  I'll work on it anyway in 
case the exception's not in the final spec.

As a backup, I've attached a patch that restores your earlier removal of the logout 
code.


Brian Stansberry
WAN Concepts, Inc.
www.wanconcepts.com
Tel:(510) 894-0114 x 116
Fax:(510) 797-3005 Index: SingleSignOn.java
===
RCS file: 
/home/cvspublic/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/SingleSignOn.java,v
retrieving revision 1.8
diff -u -r1.8 SingleSignOn.java
--- SingleSignOn.java   24 Nov 2003 16:46:56 -  1.8
+++ SingleSignOn.java   24 Nov 2003 20:14:10 -
@@ -376,7 +376,11 @@
 if (ssoId == null)
 return;
 
-if ( event.getData() != null 
+deregister(ssoId);
+// FIXME: There's no way right now to specify per application or
+// global logout
+/*
+if ( event.getData() != null
  && "logout".equals( event.getData().toString() )) {
 // logout of all applications
 deregister(ssoId);
@@ -384,6 +388,7 @@
 // invalidate just one session
 deregister(ssoId, session);
 }
+*/
 
 }

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java SSLAuthentic

2003-11-24 Thread Brian Stansberry 
At 02:08 PM 11/24/2003 -0500, you wrote:
>Brian Stansberry wrote:
>>
>>BTW, the javadoc for javax.servlet.http.HttpSession doesn't specify throwing an 
>>IllegalStateException for a call to getLastAccessedTime().  It looks as if the 
>>exception throw  was added in response to bug 15967, which stated that the javadoc 
>>does specify the exception, but I'm looking at the javadoc for both Servlet 2.3 and 
>>2.4, and in both cases it's not specified.
>Hum...look at:
>
>>http://java.sun.com/j2ee/1.4/docs/api/index.html
>
>
>
>>
>>  getLastAccessedTime
>>
>>public long *getLastAccessedTime*()
>>
>>[.]
>>
>>*Returns:*
>>a |long| representing the last time the client sent a request
>>associated with this session, expressed in milliseconds since
>>1/1/1970 GMT *Throws:*
>>|IllegalStateException
>>|
>>- if this method is called on an invalidated session
>

Oh, OK.  The Servlet 2.4 javadoc I was looking at was downloaded from the JSR-154 
Proposed Final Draft 3 web page 
(http://jcp.org/aboutJava/communityprocess/first/jsr154/index3.html).  The throws tag 
is not included there.  Hopefully they'll make this clear when they issue the final 
J2EE 1.4 spec.


Brian Stansberry
WAN Concepts, Inc.
www.wanconcepts.com
Tel:(510) 894-0114 x 116
Fax:(510) 797-3005 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java SSLAuthentic

2003-11-24 Thread Remy Maucherat 
Brian Stansberry wrote:
At 11:56 AM 11/24/2003 -0600, you wrote:

I have tried applying the patch, and I found three problems with
it. First, its removal of a session from the SingleSignOnEntry
object causes an IndexOutOfBounds exception.  Second, the method
for determining whether the user explicitly logged out or whether a
session timed out doesn't scale one of the numbers correctly (i.e.
comparing millisecond values to seconds).  I have fixed the patch,
but I don't have a diff of it yet (I'm new to helping with this
project).  Finally, the patch doesn't synchronize on 'reverse' when
removing an entry from it.


I also looked at the code for StandardSession.getLastAccessedTime()
and it looks as if it will throw an IllegalStateException if the
session is expired.  So that would break the algorithm used in the
9077 patch.
BTW, the javadoc for javax.servlet.http.HttpSession doesn't specify
throwing an IllegalStateException for a call to
getLastAccessedTime().  It looks as if the exception throw  was added
in response to bug 15967, which stated that the javadoc does specify
the exception, but I'm looking at the javadoc for both Servlet 2.3
and 2.4, and in both cases it's not specified.
Can you address those issues ASAP ? (incl the array out of bounds and 
the sync issue)

Thanks,
Remy
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java SSLAuthentic

2003-11-24 Thread Jean-Francois Arcand 


Brian Stansberry wrote:

At 11:56 AM 11/24/2003 -0600, you wrote:
 

I have tried applying the patch, and I found three problems with it.
First, its removal of a session from the SingleSignOnEntry object causes
an IndexOutOfBounds exception.  Second, the method for determining
whether the user explicitly logged out or whether a session timed out
doesn't scale one of the numbers correctly (i.e. comparing millisecond
values to seconds).  I have fixed the patch, but I don't have a diff of
it yet (I'm new to helping with this project).  Finally, the patch
doesn't synchronize on 'reverse' when removing an entry from it.
   

I also looked at the code for StandardSession.getLastAccessedTime() and it looks as if it will throw an IllegalStateException if the session is expired.  So that would break the algorithm used in the 9077 patch.

BTW, the javadoc for javax.servlet.http.HttpSession doesn't specify throwing an IllegalStateException for a call to getLastAccessedTime().  It looks as if the exception throw  was added in response to bug 15967, which stated that the javadoc does specify the exception, but I'm looking at the javadoc for both Servlet 2.3 and 2.4, and in both cases it's not specified.

Hum...look at:

http://java.sun.com/j2ee/1.4/docs/api/index.html


  getLastAccessedTime

public long *getLastAccessedTime*()

[.]

*Returns:*
a |long| representing the last time the client sent a request
associated with this session, expressed in milliseconds since
1/1/1970 GMT 
*Throws:*
|IllegalStateException
|
- if this method is called on an invalidated session



-- Jeanfrancois






Brian Stansberry
WAN Concepts, Inc.
www.wanconcepts.com
Tel:(510) 894-0114 x 116
Fax:(510) 797-3005 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java SSLAuthentic

2003-11-24 Thread Brian Stansberry 
At 11:56 AM 11/24/2003 -0600, you wrote:
>I have tried applying the patch, and I found three problems with it.
>First, its removal of a session from the SingleSignOnEntry object causes
>an IndexOutOfBounds exception.  Second, the method for determining
>whether the user explicitly logged out or whether a session timed out
>doesn't scale one of the numbers correctly (i.e. comparing millisecond
>values to seconds).  I have fixed the patch, but I don't have a diff of
>it yet (I'm new to helping with this project).  Finally, the patch
>doesn't synchronize on 'reverse' when removing an entry from it.

I also looked at the code for StandardSession.getLastAccessedTime() and it looks as if 
it will throw an IllegalStateException if the session is expired.  So that would break 
the algorithm used in the 9077 patch.

BTW, the javadoc for javax.servlet.http.HttpSession doesn't specify throwing an 
IllegalStateException for a call to getLastAccessedTime().  It looks as if the 
exception throw  was added in response to bug 15967, which stated that the javadoc 
does specify the exception, but I'm looking at the javadoc for both Servlet 2.3 and 
2.4, and in both cases it's not specified.


Brian Stansberry
WAN Concepts, Inc.
www.wanconcepts.com
Tel:(510) 894-0114 x 116
Fax:(510) 797-3005 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java SSLAuthentic

2003-11-24 Thread Nelson, Luke 
I'm sorry I should have stated in my last message that I have tried the
patch to bug 9077.

Luke

-Original Message-
From: Nelson, Luke 
Sent: Monday, November 24, 2003 10:57 AM
To: Tomcat Developers List
Subject: RE: cvs commit:
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti
cator SingleSignOnEntry.java AuthenticatorBase.java
BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java
NonLoginAuthenticator.java SSLAuthentic

I have tried applying the patch, and I found three problems with it.
First, its removal of a session from the SingleSignOnEntry object causes
an IndexOutOfBounds exception.  Second, the method for determining
whether the user explicitly logged out or whether a session timed out
doesn't scale one of the numbers correctly (i.e. comparing millisecond
values to seconds).  I have fixed the patch, but I don't have a diff of
it yet (I'm new to helping with this project).  Finally, the patch
doesn't synchronize on 'reverse' when removing an entry from it.

The only other issue that I have with this patch is that if someone
explicitly logged out at the same instant that the session timed out,
the user may not be logged out of all of the applications.  It is an
unlikely scenario, but still a dangerous one.  This is why it is better
for the session object, when firing the destroyed event, to indicate
whether it was destroyed by timeout or explicit invalidation.

Luke

-Original Message-
From: Brian Stansberry [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 24, 2003 10:43 AM
To: Tomcat Developers List
Subject: Re: cvs commit:
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti
cator SingleSignOnEntry.java AuthenticatorBase.java
BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java
NonLoginAuthenticator.java SSLAuthentic

At 06:15 PM 11/24/2003 +0100, you wrote:
>Tim Funk wrote:
>
>>This means that the "logout" check is now back in, the revert from 1.6
-> 1.7 for bug http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23764
>>Diff link:
>>http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-catalina/catalina/src
/share/org/apache/catalina/authenticator/SingleSignOn.java.diff?r1=1.6&r
2=1.7&diff_format=h 
>>Just an FYI, at this point, I don't know if that is good, bad, or
neither.
>
>That's true.
>Maybe Brian can explain why he removed this (otherwise, I'll reapply
the fix).

No, my mistake. It didn't intend to change anything related to session
invalidation and didn't notice it in the diff.  :(

Since the "logout" feature no longer is there, this means bug 9077 still
applies to TC5.  Is anyone aware of any issue with the proposed patch
attached to that bug?


Brian Stansberry
WAN Concepts, Inc.
www.wanconcepts.com
Tel:(510) 894-0114 x 116
Fax:(510) 797-3005 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java SSLAuthentic

2003-11-24 Thread Nelson, Luke 
I have tried applying the patch, and I found three problems with it.
First, its removal of a session from the SingleSignOnEntry object causes
an IndexOutOfBounds exception.  Second, the method for determining
whether the user explicitly logged out or whether a session timed out
doesn't scale one of the numbers correctly (i.e. comparing millisecond
values to seconds).  I have fixed the patch, but I don't have a diff of
it yet (I'm new to helping with this project).  Finally, the patch
doesn't synchronize on 'reverse' when removing an entry from it.

The only other issue that I have with this patch is that if someone
explicitly logged out at the same instant that the session timed out,
the user may not be logged out of all of the applications.  It is an
unlikely scenario, but still a dangerous one.  This is why it is better
for the session object, when firing the destroyed event, to indicate
whether it was destroyed by timeout or explicit invalidation.

Luke

-Original Message-
From: Brian Stansberry [mailto:[EMAIL PROTECTED] 
Sent: Monday, November 24, 2003 10:43 AM
To: Tomcat Developers List
Subject: Re: cvs commit:
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti
cator SingleSignOnEntry.java AuthenticatorBase.java
BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java
NonLoginAuthenticator.java SSLAuthentic

At 06:15 PM 11/24/2003 +0100, you wrote:
>Tim Funk wrote:
>
>>This means that the "logout" check is now back in, the revert from 1.6
-> 1.7 for bug http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23764
>>Diff link:
>>http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-catalina/catalina/src
/share/org/apache/catalina/authenticator/SingleSignOn.java.diff?r1=1.6&r
2=1.7&diff_format=h 
>>Just an FYI, at this point, I don't know if that is good, bad, or
neither.
>
>That's true.
>Maybe Brian can explain why he removed this (otherwise, I'll reapply
the fix).

No, my mistake. It didn't intend to change anything related to session
invalidation and didn't notice it in the diff.  :(

Since the "logout" feature no longer is there, this means bug 9077 still
applies to TC5.  Is anyone aware of any issue with the proposed patch
attached to that bug?


Brian Stansberry
WAN Concepts, Inc.
www.wanconcepts.com
Tel:(510) 894-0114 x 116
Fax:(510) 797-3005 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]