You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Nelson, Luke" <Lu...@itssiemens.com> on 2003/11/24 21:31:00 UTC
RE: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java SSLAut
Brian, I believe I just fixed those issues. See the latest patch to
9077.
Luke Nelson
> -----Original Message-----
> From: Brian Stansberry [mailto:brian_stansberry@wanconcepts.com]
> Sent: Monday, November 24, 2003 1:27 PM
> To: Tomcat Developers List
> Subject: Re: cvs commit: jakarta-tomcat-
> catalina/catalina/src/share/org/apache/catalina/authenti cator
> SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java
> DigestAuthenticator.java FormAuthenticator.java
NonLoginAuthenticator.java
> SSLAut
>
> At 08:21 PM 11/24/2003 +0100, Remy wrote:
> >Brian Stansberry wrote:
> >>At 11:56 AM 11/24/2003 -0600, Luke Nelson wrote:
> >>
> >>>I have tried applying the patch, and I found three problems with
> >>>it. First, its removal of a session from the SingleSignOnEntry
> >>>object causes an IndexOutOfBounds exception. Second, the method
> >>>for determining whether the user explicitly logged out or whether a
> >>>session timed out doesn't scale one of the numbers correctly (i.e.
> >>>comparing millisecond values to seconds). I have fixed the patch,
> >>>but I don't have a diff of it yet (I'm new to helping with this
> >>>project). Finally, the patch doesn't synchronize on 'reverse' when
> >>>removing an entry from it.
> >>
> >>I also looked at the code for StandardSession.getLastAccessedTime()
> >>and it looks as if it will throw an IllegalStateException if the
> >>session is expired. So that would break the algorithm used in the
> >>9077 patch.
> >>BTW, the javadoc for javax.servlet.http.HttpSession doesn't specify
> >>throwing an IllegalStateException for a call to
> >>getLastAccessedTime(). It looks as if the exception throw was
added
> >>in response to bug 15967, which stated that the javadoc does specify
> >>the exception, but I'm looking at the javadoc for both Servlet 2.3
> >>and 2.4, and in both cases it's not specified.
> >
> >Can you address those issues ASAP ? (incl the array out of bounds and
the
> sync issue)
>
> Sure; I'm starting on it now. However, Jean-Francois found a
HttpSession
> javadoc that specifies throwing an IllegalStateException in
> getLastAccessedTime(). If that is in the final spec, the 9077 patch
> algorithm will not work. I'll work on it anyway in case the
exception's
> not in the final spec.
>
> As a backup, I've attached a patch that restores your earlier removal
of
> the logout code.
>
>
> Brian Stansberry
> WAN Concepts, Inc.
> www.wanconcepts.com
> Tel: (510) 894-0114 x 116
> Fax: (510) 797-3005
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti
cator SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java
DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java
SSLAut
Posted by Remy Maucherat <re...@apache.org>.
Nelson, Luke wrote:
> Brian, I believe I just fixed those issues. See the latest patch to
> 9077.
Did you actually test it ? Your patch calls getLastModified, does this
really work if the session *did* timeout (and as such is no longer valid) ?
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org