You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/08/11 21:58:21 UTC
svn commit: r1756056 -
/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
Author: markt
Date: Thu Aug 11 21:58:21 2016
New Revision: 1756056
URL: http://svn.apache.org/viewvc?rev=1756056&view=rev
Log:
Follow-up for https://bz.apache.org/bugzilla/show_bug.cgi?id=59823
HttpServletRequest#authenticate() should return false for a null Principal
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1756056&r1=1756055&r2=1756056&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java Thu Aug 11 21:58:21 2016
@@ -549,7 +549,8 @@ public abstract class AuthenticatorBase
}
if (jaspicProvider == null && !doAuthenticate(request, response) ||
- jaspicProvider != null && !authenticateJaspic(request, response, jaspicState)) {
+ jaspicProvider != null &&
+ !authenticateJaspic(request, response, jaspicState, false)) {
if (log.isDebugEnabled()) {
log.debug(" Failed authenticate() test");
}
@@ -605,7 +606,7 @@ public abstract class AuthenticatorBase
return false;
}
- boolean result = authenticateJaspic(request, response, jaspicState);
+ boolean result = authenticateJaspic(request, response, jaspicState, true);
secureResponseJspic(request, response, jaspicState);
@@ -730,7 +731,8 @@ public abstract class AuthenticatorBase
}
- private boolean authenticateJaspic(Request request, Response response, JaspicState state) {
+ private boolean authenticateJaspic(Request request, Response response, JaspicState state,
+ boolean requirePrincipal) {
boolean cachedAuth = checkForCachedAuthentication(request, response, false);
Subject client = new Subject();
@@ -753,6 +755,9 @@ public abstract class AuthenticatorBase
if (principal == null) {
request.setUserPrincipal(null);
request.setAuthType(null);
+ if (requirePrincipal) {
+ return false;
+ }
} else if (cachedAuth == false ||
!principal.getUserPrincipal().equals(request.getUserPrincipal())) {
// Skip registration if authentication credentials were
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org