You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2018/07/17 08:15:29 UTC
[Bug 62547] New: JASPIC cleanSubject not called on logout for cached
authentications
https://bz.apache.org/bugzilla/show_bug.cgi?id=62547
Bug ID: 62547
Summary: JASPIC cleanSubject not called on logout for cached
authentications
Product: Tomcat 8
Version: 8.5.20
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: z06.guillermo@gmail.com
Target Milestone: ----
When authentication takes place via JASPIC and there was no cached user
principal, the clientSubject is stored in the request:
https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java#L813
On logout, the stored clientSubject is retrieved in order to pass it as an
argument to ServerAuthContext#cleanSubject():
https://github.com/apache/tomcat/blob/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java#L1138
The problem is, when authentication was performed on a previous request (it was
cached), the subject is not stored, and so cleanSubject is not called, since
the subject must not be null.
The solution might be just to always store the subject, despite the
authentication being cached. I can provide a PR myself if someone confirms
that's a valid solution.
I have only tested this on 8.5.20 (TomEE 7.0.4) but the affected code is the
same on other versions.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62547] JASPIC cleanSubject not called on logout for cached
authentications
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62547
Arjan Tijms <ar...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |arjan.tijms@gmail.com
OS| |All
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62547] JASPIC cleanSubject not called on logout for cached
authentications
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62547
--- Comment #1 from Guillermo González de Agüero <z0...@gmail.com> ---
Since it was (IMHO) a one-line change, I provided a PR:
https://github.com/apache/tomcat/pull/116
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 62547] JASPIC cleanSubject not called on logout for cached
authentications
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62547
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #2 from Mark Thomas <ma...@apache.org> ---
+1
That was pretty much the change I was thinking of after reviewing the code and
your bug description.
Fixed in:
- trunk for 9.0.11 onwards
- 8.5.x for 8.5.33 onwards
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org