Mark, Rajendra,
On 12/30/21 06:13, Mark Thomas wrote:
This is an application design issue, not a Tomcat issue.
FORM auth is not intended / designed to work in the following scenario:
- user is not authenticated
- multiple, concurrent requests are made for resources requiring
authentication
You need to design the application in such a way that once
authentication is triggered, no further requests are made until
authentication is complete.
+1
An easy way to do this is to make sure that all requests for static
resources such as images, etc. are explicitly defined to NOT require any
authentication, perhaps like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>unauthenticated-stuff</web-resource-name>
<url-pattern>/path/to/static/a/*</url>
<url-pattern>/path/to/static/a/*</url>
<url-pattern>/path/to/static/b/*</url>
...
</web-resource-collection>
<!-- no auth-constraint means no constraints -->
</security-constraint>
-chris
On 30/12/2021 11:02, Rathore, Rajendra wrote:
Link for image where it will shows the details
https://docs.google.com/document/d/1Ziojwm6rPvyuJ6rpJR1tu0e5xTfnawrHeLz3QvL28XA/edit?usp=sharing
Thanks and Regards,
Rajendra Rathore
9922701491
From: Rathore, Rajendra
Sent: Thursday, December 30, 2021 4:25 PM
To: users@tomcat.apache.org
Subject: issue with Form based authentication
Importance: High
Hi Team,
We are facing some weird issue with tomcat Form based authentication,
I will try to explain the scenario as below:
issue is reproducible in specific conditions, when browser cache is
disabled, and cleared out before session timeout. In this conditions
after session timeout when user is moving mouse over some elements
where requests for GIFs are sent. Those request are processed by
FormAuthenticator tomcat class. This class is responsible for saving
requested URL and redirecting user to this saved URL after successful
login. But this class saves in session all requests using the same
key, this means that old requests are overrided by new ones. In this
case there are multiple requests after session timeout, to get some
GIFs, and to show relogin.jsp in popup window, those requests are
handled by different threads, and last executed thread is saving to
session information about requested URL. We have classic race
condition here. If relogin.jsp will be requested last, then issue is
not reproducible, if some GIF will be requested and saved last issue
will be reproducible.
Please let me know if any extra loggers required, will enable and
shared with you.
Thanks and Regards,
Rajendra Rathore
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
