You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2012/12/06 14:59:00 UTC
svn commit: r1417891 - in /tomcat/tc6.0.x/trunk: STATUS.txt
java/org/apache/catalina/authenticator/FormAuthenticator.java
webapps/docs/changelog.xml
Author: kkolinko
Date: Thu Dec 6 13:58:59 2012
New Revision: 1417891
URL: http://svn.apache.org/viewvc?rev=1417891&view=rev
Log:
In FormAuthenticator: If it is configured to change Session IDs,
do the change before displaying the login form.
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1417891&r1=1417890&r2=1417891&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Dec 6 13:58:59 2012
@@ -94,13 +94,6 @@ PATCHES PROPOSED TO BACKPORT:
+1: kkolinko
-1:
-* In FormAuthenticator: If it is configured to change Session IDs,
- do the change before displaying the login form.
- http://svn.apache.org/viewvc?view=revision&revision=1408044
- (r1408043 in trunk)
- +1: kkolinko, kfujino, schultz
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=54087
Correctly handle (ignore) invalid If-Modified-Since
header rather than throwing an exception.
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1417891&r1=1417890&r2=1417891&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Thu Dec 6 13:58:59 2012
@@ -31,6 +31,7 @@ import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Globals;
+import org.apache.catalina.Manager;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
import org.apache.catalina.connector.Request;
@@ -322,6 +323,15 @@ public class FormAuthenticator
config.getLoginPage(), context.getName()));
}
+ if (getChangeSessionIdOnAuthentication()) {
+ Session session = request.getSessionInternal(false);
+ if (session != null) {
+ Manager manager = request.getContext().getManager();
+ manager.changeSessionId(session);
+ request.changeSessionId(session.getId());
+ }
+ }
+
// Always use GET for the login page, regardless of the method used
String oldMethod = request.getCoyoteRequest().method().toString();
request.getCoyoteRequest().method().setString("GET");
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1417891&r1=1417890&r2=1417891&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Dec 6 13:58:59 2012
@@ -47,6 +47,10 @@
<subsection name="Catalina">
<changelog>
<fix>
+ In FormAuthenticator: If it is configured to change Session IDs,
+ do the change before displaying the login form. (kkolinko)
+ </fix>
+ <fix>
<bug>54054</bug>: Do not share shell environment variables between
multiple instances of the CGI servlet. (markt)
</fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org