You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/11/24 09:26:05 UTC

[tomcat] branch 10.0.x updated: Expand code comments

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.0.x by this push:
     new 539c572  Expand code comments
539c572 is described below

commit 539c5721840c3f2f58c0651b7e171158a2d6b674
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Nov 24 09:25:19 2021 +0000

    Expand code comments
---
 java/org/apache/catalina/connector/Request.java | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
index da40d08..f192552 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -2624,13 +2624,23 @@ public class Request implements HttpServletRequest {
             if (gssCredential != null) {
                 int left = -1;
                 try {
+                    // Concurrent calls to this method from an expired session
+                    // can trigger an ISE. If one thread calls logout() below
+                    // before another thread calls getRemainingLifetime() then
+                    // then since logout() eventually calls
+                    // GSSCredential.dispose(), the subsequent call to
+                    // GSSCredential.getRemainingLifetime() will throw an ISE.
+                    // Avoiding the ISE would require locking in this method to
+                    // protect against concurrent access to the GSSCredential.
+                    // That would have a small performance impact. The ISE is
+                    // rare so it is caught and handled rather than avoided.
                     left = gssCredential.getRemainingLifetime();
                 } catch (GSSException | IllegalStateException e) {
                     log.warn(sm.getString("coyoteRequest.gssLifetimeFail",
                             userPrincipal.getName()), e);
                 }
-                // zero is expired.
-                // Should never be less than zero but handle those values too
+                // zero is expired. Exception above will mean left == -1
+                // Treat both as expired.
                 if (left <= 0) {
                     // GSS credential has expired. Need to re-authenticate.
                     try {

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org