You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2019/12/11 11:52:55 UTC
[tomcat] branch 8.5.x updated: Do not store username and password
as session notes during authentication if they are not needed.
This is an automated email from the ASF dual-hosted git repository.
kkolinko pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new d0498e7 Do not store username and password as session notes during authentication if they are not needed.
d0498e7 is described below
commit d0498e737058212b21954a05a5593922d7d17502
Author: Konstantin Kolinko <kk...@apache.org>
AuthorDate: Wed Dec 11 12:59:02 2019 +0300
Do not store username and password as session notes during authentication if they are not needed.
Only FormAuthenticator reads those notes and only in the rare case when caching is turned off. Other authenticators do not need them.
If any third-party authenticator has a need, it is possible to overwrite register(..) like FormAuthenticator does here.
It is a review of commit 1ecba14e690cf5f3f143eef6ae7037a6d3c16652.
---
.../catalina/authenticator/AuthenticatorBase.java | 45 ++++++++++++++--------
.../catalina/authenticator/FormAuthenticator.java | 27 +++++++++++++
webapps/docs/changelog.xml | 4 ++
3 files changed, 59 insertions(+), 17 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index f35fbd6..b0db003 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -1103,7 +1103,31 @@ public abstract class AuthenticatorBase extends ValveBase
}
- private void register(Request request, HttpServletResponse response, Principal principal,
+ /**
+ * Register an authenticated Principal and authentication type in our
+ * request, in the current session (if there is one), and with our
+ * SingleSignOn valve, if there is one. Set the appropriate cookie to be
+ * returned.
+ *
+ * @param request
+ * The servlet request we are processing
+ * @param response
+ * The servlet response we are generating
+ * @param principal
+ * The authenticated Principal to be registered
+ * @param authType
+ * The authentication type to be registered
+ * @param username
+ * Username used to authenticate (if any)
+ * @param password
+ * Password used to authenticate (if any)
+ * @param alwaysUseSession
+ * Should a session always be used once a user is authenticated?
+ * @param cache
+ * Should we cache authenticated Principals if the request is part of an
+ * HTTP session?
+ */
+ protected void register(Request request, HttpServletResponse response, Principal principal,
String authType, String username, String password, boolean alwaysUseSession,
boolean cache) {
@@ -1139,22 +1163,9 @@ public abstract class AuthenticatorBase extends ValveBase
}
// Cache the authentication information in our session, if any
- if (session != null) {
- if (cache) {
- session.setAuthType(authType);
- session.setPrincipal(principal);
- } else {
- if (username != null) {
- session.setNote(Constants.SESS_USERNAME_NOTE, username);
- } else {
- session.removeNote(Constants.SESS_USERNAME_NOTE);
- }
- if (password != null) {
- session.setNote(Constants.SESS_PASSWORD_NOTE, password);
- } else {
- session.removeNote(Constants.SESS_PASSWORD_NOTE);
- }
- }
+ if (session != null && cache) {
+ session.setAuthType(authType);
+ session.setPrincipal(principal);
}
// Construct a cookie to be returned to the client
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index e9b9839..4a508f6 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -356,6 +356,33 @@ public class FormAuthenticator
}
+ @Override
+ protected void register(Request request, HttpServletResponse response,
+ Principal principal, String authType, String username,
+ String password, boolean alwaysUseSession, boolean cache) {
+
+ super.register(request, response, principal, authType, username, password, alwaysUseSession, cache);
+
+ // If caching an authenticated Principal is turned off,
+ // store username and password as session notes to use them for re-authentication.
+ if (!cache) {
+ Session session = request.getSessionInternal(false);
+ if (session != null) {
+ if (username != null) {
+ session.setNote(Constants.SESS_USERNAME_NOTE, username);
+ } else {
+ session.removeNote(Constants.SESS_USERNAME_NOTE);
+ }
+ if (password != null) {
+ session.setNote(Constants.SESS_PASSWORD_NOTE, password);
+ } else {
+ session.removeNote(Constants.SESS_PASSWORD_NOTE);
+ }
+ }
+ }
+ }
+
+
/**
* Called to forward to the login page
*
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index efb9756..a0704ab 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -53,6 +53,10 @@
upgrade is not possible, application code should cast to the internal
Tomcat implementation classes. (markt)
</scode>
+ <update>
+ Do not store username and password as session notes during
+ authentication if they are not needed. (kkolinko)
+ </update>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org