This is an application design issue, not a Tomcat issue.
FORM auth is not intended / designed to work in the following scenario:
- user is not authenticated
- multiple, concurrent requests are made for resources requiring
authentication
You need to design the application in such a way that once
authentication is triggered, no further requests are made until
authentication is complete.
Mark
On 30/12/2021 11:02, Rathore, Rajendra wrote:
Link for image where it will shows the details
https://docs.google.com/document/d/1Ziojwm6rPvyuJ6rpJR1tu0e5xTfnawrHeLz3QvL28XA/edit?usp=sharing
Thanks and Regards,
Rajendra Rathore
9922701491
From: Rathore, Rajendra
Sent: Thursday, December 30, 2021 4:25 PM
To: users@tomcat.apache.org
Subject: issue with Form based authentication
Importance: High
Hi Team,
We are facing some weird issue with tomcat Form based authentication, I will
try to explain the scenario as below:
issue is reproducible in specific conditions, when browser cache is disabled,
and cleared out before session timeout. In this conditions after session
timeout when user is moving mouse over some elements where requests for GIFs
are sent. Those request are processed by FormAuthenticator tomcat class. This
class is responsible for saving requested URL and redirecting user to this
saved URL after successful login. But this class saves in session all requests
using the same key, this means that old requests are overrided by new ones. In
this case there are multiple requests after session timeout, to get some GIFs,
and to show relogin.jsp in popup window, those requests are handled by
different threads, and last executed thread is saving to session information
about requested URL. We have classic race condition here. If relogin.jsp will
be requested last, then issue is not reproducible, if some GIF will be
requested and saved last issue will be reproducible.
Please let me know if any extra loggers required, will enable and shared with
you.
Thanks and Regards,
Rajendra Rathore
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org