On 07/10/2021 18:37, Michael Kolenda wrote:
Hey Tomcat Users,
I've run into an interesting behavior with a custom JASPIC provider. When
there is an existing session i.e. JSESSIONID cookie, It appears the
groups/roles are not checked again... even when the new groups are provided
in the client Subject (JASPIC's validate() ). When attempting stateless
authentication via JWT/OAuth how can I ignore a previously set session for
an individual request?
It appears to be based around equals() on my Principal object. I can make
it so Principal's generated via stateless authentication protocols are
never equal, but then I get a new session id in the response. I don't want
a session id at all for this request
I'm only basing this on looking at Tomcat's source code so I may be on
the wrong track.
You probably want to set cache="false" on your authenticator. That will
stop Tomcat trying to cache the authenticated principal in the session.
From your description and looking at the source for AuthenticatorBase,
I think that should address the issue you are seeing.
You might also want to check if alwaysUseSession has been set. If not,
the default of false is fine but I don't think you want this set to true.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
