You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2019/12/11 10:11:58 UTC
[tomcat] branch master updated: Do not store username and password
as session notes during authentication if they are not needed.
This is an automated email from the ASF dual-hosted git repository.
kkolinko pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new cbc639a Do not store username and password as session notes during authentication if they are not needed.
cbc639a is described below
commit cbc639a740ef3f8ffbf301fc4b417d330f85912b
Author: Konstantin Kolinko <kk...@apache.org>
AuthorDate: Wed Dec 11 12:59:02 2019 +0300
Do not store username and password as session notes during authentication if they are not needed.
Only FormAuthenticator reads those notes and only in the rare case when caching is turned off. Other authenticators do not need them.
If any third-party authenticator has a need, it is possible to overwrite register(..) like FormAuthenticator does here.
It is a review of commit 1ecba14e690cf5f3f143eef6ae7037a6d3c16652.
---
.../catalina/authenticator/AuthenticatorBase.java | 45 ++++++++++++++--------
.../catalina/authenticator/FormAuthenticator.java | 27 +++++++++++++
webapps/docs/changelog.xml | 8 ++++
3 files changed, 63 insertions(+), 17 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index d63d652..208155f 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -1101,7 +1101,31 @@ public abstract class AuthenticatorBase extends ValveBase
}
- private void register(Request request, HttpServletResponse response, Principal principal,
+ /**
+ * Register an authenticated Principal and authentication type in our
+ * request, in the current session (if there is one), and with our
+ * SingleSignOn valve, if there is one. Set the appropriate cookie to be
+ * returned.
+ *
+ * @param request
+ * The servlet request we are processing
+ * @param response
+ * The servlet response we are generating
+ * @param principal
+ * The authenticated Principal to be registered
+ * @param authType
+ * The authentication type to be registered
+ * @param username
+ * Username used to authenticate (if any)
+ * @param password
+ * Password used to authenticate (if any)
+ * @param alwaysUseSession
+ * Should a session always be used once a user is authenticated?
+ * @param cache
+ * Should we cache authenticated Principals if the request is part of an
+ * HTTP session?
+ */
+ protected void register(Request request, HttpServletResponse response, Principal principal,
String authType, String username, String password, boolean alwaysUseSession,
boolean cache) {
@@ -1137,22 +1161,9 @@ public abstract class AuthenticatorBase extends ValveBase
}
// Cache the authentication information in our session, if any
- if (session != null) {
- if (cache) {
- session.setAuthType(authType);
- session.setPrincipal(principal);
- } else {
- if (username != null) {
- session.setNote(Constants.SESS_USERNAME_NOTE, username);
- } else {
- session.removeNote(Constants.SESS_USERNAME_NOTE);
- }
- if (password != null) {
- session.setNote(Constants.SESS_PASSWORD_NOTE, password);
- } else {
- session.removeNote(Constants.SESS_PASSWORD_NOTE);
- }
- }
+ if (session != null && cache) {
+ session.setAuthType(authType);
+ session.setPrincipal(principal);
}
// Construct a cookie to be returned to the client
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index e9b9839..4a508f6 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -356,6 +356,33 @@ public class FormAuthenticator
}
+ @Override
+ protected void register(Request request, HttpServletResponse response,
+ Principal principal, String authType, String username,
+ String password, boolean alwaysUseSession, boolean cache) {
+
+ super.register(request, response, principal, authType, username, password, alwaysUseSession, cache);
+
+ // If caching an authenticated Principal is turned off,
+ // store username and password as session notes to use them for re-authentication.
+ if (!cache) {
+ Session session = request.getSessionInternal(false);
+ if (session != null) {
+ if (username != null) {
+ session.setNote(Constants.SESS_USERNAME_NOTE, username);
+ } else {
+ session.removeNote(Constants.SESS_USERNAME_NOTE);
+ }
+ if (password != null) {
+ session.setNote(Constants.SESS_PASSWORD_NOTE, password);
+ } else {
+ session.removeNote(Constants.SESS_PASSWORD_NOTE);
+ }
+ }
+ }
+ }
+
+
/**
* Called to forward to the login page
*
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index cd13ca6..932173f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -45,6 +45,14 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 9.0.31 (markt)" rtext="in development">
+ <subsection name="Catalina">
+ <changelog>
+ <update>
+ Do not store username and password as session notes during
+ authentication if they are not needed. (kkolinko)
+ </update>
+ </changelog>
+ </subsection>
<subsection name="Coyote">
<changelog>
<update>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org