You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/08/11 21:58:21 UTC

svn commit: r1756056 - /tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java

Author: markt
Date: Thu Aug 11 21:58:21 2016
New Revision: 1756056

URL: http://svn.apache.org/viewvc?rev=1756056&view=rev
Log:
Follow-up for https://bz.apache.org/bugzilla/show_bug.cgi?id=59823
HttpServletRequest#authenticate() should return false for a null Principal

Modified:
    tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java

Modified: tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1756056&r1=1756055&r2=1756056&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java Thu Aug 11 21:58:21 2016
@@ -549,7 +549,8 @@ public abstract class AuthenticatorBase
             }
 
             if (jaspicProvider == null && !doAuthenticate(request, response) ||
-                    jaspicProvider != null && !authenticateJaspic(request, response, jaspicState)) {
+                    jaspicProvider != null &&
+                            !authenticateJaspic(request, response, jaspicState, false)) {
                 if (log.isDebugEnabled()) {
                     log.debug(" Failed authenticate() test");
                 }
@@ -605,7 +606,7 @@ public abstract class AuthenticatorBase
                 return false;
             }
 
-            boolean result = authenticateJaspic(request, response, jaspicState);
+            boolean result = authenticateJaspic(request, response, jaspicState, true);
 
             secureResponseJspic(request, response, jaspicState);
 
@@ -730,7 +731,8 @@ public abstract class AuthenticatorBase
     }
 
 
-    private boolean authenticateJaspic(Request request, Response response, JaspicState state) {
+    private boolean authenticateJaspic(Request request, Response response, JaspicState state,
+            boolean requirePrincipal) {
 
         boolean cachedAuth = checkForCachedAuthentication(request, response, false);
         Subject client = new Subject();
@@ -753,6 +755,9 @@ public abstract class AuthenticatorBase
             if (principal == null) {
                 request.setUserPrincipal(null);
                 request.setAuthType(null);
+                if (requirePrincipal) {
+                    return false;
+                }
             } else if (cachedAuth == false ||
                     !principal.getUserPrincipal().equals(request.getUserPrincipal())) {
                 // Skip registration if authentication credentials were



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org