You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2022/08/22 07:43:38 UTC
[tomcat] branch 9.0.x updated: Preparation for fixing BZ 66120
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 4acf70326a Preparation for fixing BZ 66120
4acf70326a is described below
commit 4acf70326a221e7af80c353808f3a5661287485a
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Aug 22 08:43:11 2022 +0100
Preparation for fixing BZ 66120
https://bz.apache.org/bugzilla/show_bug.cgi?id=66120
Once BZ 66120 is fixed, the session note that holds the current session
ID during FORM authentication will be replicated across the cluster. If
failover occurs during FORM authentication, this note also needs to be
updated.
This change is a NO-OP until the fix for BZ 66120 is committed.
---
.../catalina/ha/session/JvmRouteBinderValve.java | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java b/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
index bfde34a080..be01f158bb 100644
--- a/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
+++ b/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
@@ -24,6 +24,7 @@ import org.apache.catalina.Cluster;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Manager;
import org.apache.catalina.Session;
+import org.apache.catalina.authenticator.Constants;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.ha.CatalinaCluster;
@@ -327,6 +328,7 @@ public class JvmRouteBinderValve extends ValveBase implements ClusterValve {
fireLifecycleEvent("Before session migration", catalinaSession);
catalinaSession.getManager().changeSessionId(catalinaSession, newSessionID);
changeRequestSessionID(request, sessionId, newSessionID);
+ changeSessionAuthenticationNote(sessionId, newSessionID, catalinaSession);
fireLifecycleEvent("After session migration", catalinaSession);
if (log.isDebugEnabled()) {
log.debug(sm.getString("jvmRoute.changeSession", sessionId,
@@ -356,6 +358,23 @@ public class JvmRouteBinderValve extends ValveBase implements ClusterValve {
}
+ /**
+ * Change the current session ID that is stored in a session note during
+ * authentication. It is part of the CSRF protection.
+ *
+ * @param sessionId The original session ID
+ * @param newSessionID The new session ID for node migration
+ * @param catalinaSession The session object (that will be using the new
+ * session ID at the point this method is
+ * called)
+ */
+ protected void changeSessionAuthenticationNote(String sessionId, String newSessionID, Session catalinaSession) {
+ if (sessionId.equals(catalinaSession.getNote(Constants.SESSION_ID_NOTE))) {
+ catalinaSession.setNote(Constants.SESSION_ID_NOTE, newSessionID);
+ }
+ }
+
+
/**
* Start this component and implement the requirements
* of {@link org.apache.catalina.util.LifecycleBase#startInternal()}.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org