You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Rathore, Rajendra" <ra...@ptc.com> on 2021/12/30 10:54:44 UTC
issue with Form based authentication
Hi Team,
We are facing some weird issue with tomcat Form based authentication, I will try to explain the scenario as below:
issue is reproducible in specific conditions, when browser cache is disabled, and cleared out before session timeout. In this conditions after session timeout when user is moving mouse over some elements where requests for GIFs are sent. Those request are processed by FormAuthenticator tomcat class. This class is responsible for saving requested URL and redirecting user to this saved URL after successful login. But this class saves in session all requests using the same key, this means that old requests are overrided by new ones. In this case there are multiple requests after session timeout, to get some GIFs, and to show relogin.jsp in popup window, those requests are handled by different threads, and last executed thread is saving to session information about requested URL. We have classic race condition here. If relogin.jsp will be requested last, then issue is not reproducible, if some GIF will be requested and saved last issue will be reproducible.
Please let me know if any extra loggers required, will enable and shared with you.
Thanks and Regards,
Rajendra Rathore
Re: issue with Form based authentication
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark, Rajendra,
On 12/30/21 06:13, Mark Thomas wrote:
> This is an application design issue, not a Tomcat issue.
>
> FORM auth is not intended / designed to work in the following scenario:
> - user is not authenticated
> - multiple, concurrent requests are made for resources requiring
> authentication
>
> You need to design the application in such a way that once
> authentication is triggered, no further requests are made until
> authentication is complete.
+1
An easy way to do this is to make sure that all requests for static
resources such as images, etc. are explicitly defined to NOT require any
authentication, perhaps like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>unauthenticated-stuff</web-resource-name>
<url-pattern>/path/to/static/a/*</url>
<url-pattern>/path/to/static/a/*</url>
<url-pattern>/path/to/static/b/*</url>
...
</web-resource-collection>
<!-- no auth-constraint means no constraints -->
</security-constraint>
-chris
> On 30/12/2021 11:02, Rathore, Rajendra wrote:
>> Link for image where it will shows the details
>>
>> https://docs.google.com/document/d/1Ziojwm6rPvyuJ6rpJR1tu0e5xTfnawrHeLz3QvL28XA/edit?usp=sharing
>>
>>
>>
>> Thanks and Regards,
>> Rajendra Rathore
>> 9922701491
>>
>> From: Rathore, Rajendra
>> Sent: Thursday, December 30, 2021 4:25 PM
>> To: users@tomcat.apache.org
>> Subject: issue with Form based authentication
>> Importance: High
>>
>> Hi Team,
>>
>> We are facing some weird issue with tomcat Form based authentication,
>> I will try to explain the scenario as below:
>>
>> issue is reproducible in specific conditions, when browser cache is
>> disabled, and cleared out before session timeout. In this conditions
>> after session timeout when user is moving mouse over some elements
>> where requests for GIFs are sent. Those request are processed by
>> FormAuthenticator tomcat class. This class is responsible for saving
>> requested URL and redirecting user to this saved URL after successful
>> login. But this class saves in session all requests using the same
>> key, this means that old requests are overrided by new ones. In this
>> case there are multiple requests after session timeout, to get some
>> GIFs, and to show relogin.jsp in popup window, those requests are
>> handled by different threads, and last executed thread is saving to
>> session information about requested URL. We have classic race
>> condition here. If relogin.jsp will be requested last, then issue is
>> not reproducible, if some GIF will be requested and saved last issue
>> will be reproducible.
>>
>> Please let me know if any extra loggers required, will enable and
>> shared with you.
>>
>> Thanks and Regards,
>> Rajendra Rathore
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: issue with Form based authentication
Posted by Mark Thomas <ma...@apache.org>.
This is an application design issue, not a Tomcat issue.
FORM auth is not intended / designed to work in the following scenario:
- user is not authenticated
- multiple, concurrent requests are made for resources requiring
authentication
You need to design the application in such a way that once
authentication is triggered, no further requests are made until
authentication is complete.
Mark
On 30/12/2021 11:02, Rathore, Rajendra wrote:
> Link for image where it will shows the details
>
> https://docs.google.com/document/d/1Ziojwm6rPvyuJ6rpJR1tu0e5xTfnawrHeLz3QvL28XA/edit?usp=sharing
>
>
> Thanks and Regards,
> Rajendra Rathore
> 9922701491
>
> From: Rathore, Rajendra
> Sent: Thursday, December 30, 2021 4:25 PM
> To: users@tomcat.apache.org
> Subject: issue with Form based authentication
> Importance: High
>
> Hi Team,
>
> We are facing some weird issue with tomcat Form based authentication, I will try to explain the scenario as below:
>
> issue is reproducible in specific conditions, when browser cache is disabled, and cleared out before session timeout. In this conditions after session timeout when user is moving mouse over some elements where requests for GIFs are sent. Those request are processed by FormAuthenticator tomcat class. This class is responsible for saving requested URL and redirecting user to this saved URL after successful login. But this class saves in session all requests using the same key, this means that old requests are overrided by new ones. In this case there are multiple requests after session timeout, to get some GIFs, and to show relogin.jsp in popup window, those requests are handled by different threads, and last executed thread is saving to session information about requested URL. We have classic race condition here. If relogin.jsp will be requested last, then issue is not reproducible, if some GIF will be requested and saved last issue will be reproducible.
>
> Please let me know if any extra loggers required, will enable and shared with you.
>
> Thanks and Regards,
> Rajendra Rathore
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: issue with Form based authentication
Posted by "Rathore, Rajendra" <ra...@ptc.com>.
Link for image where it will shows the details
https://docs.google.com/document/d/1Ziojwm6rPvyuJ6rpJR1tu0e5xTfnawrHeLz3QvL28XA/edit?usp=sharing
Thanks and Regards,
Rajendra Rathore
9922701491
From: Rathore, Rajendra
Sent: Thursday, December 30, 2021 4:25 PM
To: users@tomcat.apache.org
Subject: issue with Form based authentication
Importance: High
Hi Team,
We are facing some weird issue with tomcat Form based authentication, I will try to explain the scenario as below:
issue is reproducible in specific conditions, when browser cache is disabled, and cleared out before session timeout. In this conditions after session timeout when user is moving mouse over some elements where requests for GIFs are sent. Those request are processed by FormAuthenticator tomcat class. This class is responsible for saving requested URL and redirecting user to this saved URL after successful login. But this class saves in session all requests using the same key, this means that old requests are overrided by new ones. In this case there are multiple requests after session timeout, to get some GIFs, and to show relogin.jsp in popup window, those requests are handled by different threads, and last executed thread is saving to session information about requested URL. We have classic race condition here. If relogin.jsp will be requested last, then issue is not reproducible, if some GIF will be requested and saved last issue will be reproducible.
Please let me know if any extra loggers required, will enable and shared with you.
Thanks and Regards,
Rajendra Rathore