You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/07/06 15:11:41 UTC
DO NOT REPLY [Bug 10526] New: -
Authenticators do not always cache the Principal
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10526>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=10526
Authenticators do not always cache the Principal
Summary: Authenticators do not always cache the Principal
Product: Tomcat 4
Version: Nightly Build
Platform: Other
OS/Version: Other
Status: NEW
Severity: Normal
Priority: Other
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: j.g.holman@qmul.ac.uk
Once a user is authenticated a Principal object is supposed to be cached for
the duration of the user's session. This is especially important when using
JDBCRealm or JNDIRealm to reduce the load on external authentication services.
Most authenticators (BasicAuthenticator, SSLAuthenticator and
DigestAuthenticator) call AuthenticatorBase.register()to cache the Principal.
However register() does nothing if a session object does not already exist, so
caching does not occur when the application does not create a session object
itself. The problem can be seen by setting a security constraint on tomcat-docs
and then browsing the Tomcat documentation - the external authentication
service is hit on every request.
The problem does not occur with form based login, because FormAuthenticator
caches the Principal itself and creates a new session if necessary to do it.
Probably the best fix would be to change AuthenticatorBase.register() to create
a new session by calling getSession(request, true) instead of getSession
(request, false). However, perhaps there is a reason why this is not being
done - though if so I cannot see what it is.
An alternative is to change the concrete authentication classes to make sure a
session exists before calling register(), e.g.
--- BasicAuthenticator.java 23 Mar 2002 17:52:16 -0000 1.12
+++ BasicAuthenticator.java 6 Jul 2002 12:46:30 -0000
@@ -160,6 +160,7 @@
String password = parsePassword(authorization);
principal = context.getRealm().authenticate(username, password);
if (principal != null) {
+ Session session = getSession(request, true);
register(request, response, principal, Constants.BASIC_METHOD,
username, password);
return (true);
Similar patches would be required for SSLAuthenticator and DigestAuthenticator
of course.
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>