You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2011/12/08 10:35:59 UTC
DO NOT REPLY [Bug 52303] New: NonLoginAuthenticator does not honour
session timeout with SingleSignOn Valve
https://issues.apache.org/bugzilla/show_bug.cgi?id=52303
Bug #: 52303
Summary: NonLoginAuthenticator does not honour session timeout
with SingleSignOn Valve
Product: Tomcat 7
Version: trunk
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: Brian@PingToo.com
Classification: Unclassified
Created attachment 28052
--> https://issues.apache.org/bugzilla/attachment.cgi?id=28052
proposed diff to fix org.apache.catalina.authenticator.NonLoginAuthenticator
This problem has been explored and discussed on the tomcat-users mailing list
under the title "SingleSignonValve and webapp session timeout". Basically, a
webapp that does not need to define a <login-config> is valid under the servlet
3.0 spec and therefore should be able to participate in a single signon realm.
It should be able to inherit the security principal established by another
webapp within the same realm. Its own <session-timeout> value should be
honoured, even when all the other sessions in the same SingleSignOnEntry have
expired.
The problem is with NonLoginAuthenticator - at some time it had SSO helper
logic that was too primitive. This logic was completely commented-out in tomcat
6.0.0.
I have two fairly simple webapps (not quite drop-ins) that demonstrate the
problem and my proposed fix. I have heavily commented my proposed fix to
explain the surrounding dependent logic that it relies on.
At the moment I have not found an SSO-based unit test for any of the
AuthenticatorBase concrete classes, but I will try to create one (eventually).
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 52303] NonLoginAuthenticator does not honour
session timeout with SingleSignOn Valve
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52303
Brian Burch <Br...@PingToo.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |Brian@PingToo.com
Severity|normal |minor
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 52303] NonLoginAuthenticator does not honour
session timeout with SingleSignOn Valve
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=52303
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #1 from Mark Thomas <ma...@apache.org> 2011-12-27 20:25:25 UTC ---
Many thanks for the patch. It looks good to me.
The patch has been applied to trunk and 7.0.x and will be included in 7.0.24
onwards.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org