You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2019/12/11 10:23:48 UTC

[tomcat] branch 7.0.x updated: Do not store username and password as session notes during authentication if they are not needed.

This is an automated email from the ASF dual-hosted git repository.

kkolinko pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/7.0.x by this push:
     new fb0d5b6  Do not store username and password as session notes during authentication if they are not needed.
fb0d5b6 is described below

commit fb0d5b6cd4a3b0de6bd78dae906d95ef5616d965
Author: Konstantin Kolinko <kk...@apache.org>
AuthorDate: Wed Dec 11 13:17:42 2019 +0300

    Do not store username and password as session notes during authentication if they are not needed.
    
    Only FormAuthenticator reads those notes and only in the rare case when caching is turned off. Other authenticators do not need them.
    If any third-party authenticator has a need, it is possible to overwrite register(..) like FormAuthenticator does here.
    
    It is a review of commit 1ecba14e690cf5f3f143eef6ae7037a6d3c16652.
---
 .../catalina/authenticator/AuthenticatorBase.java  | 19 +++------------
 .../catalina/authenticator/FormAuthenticator.java  | 27 ++++++++++++++++++++++
 webapps/docs/changelog.xml                         |  4 ++++
 3 files changed, 34 insertions(+), 16 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index 52bff92..f5e76a3 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -918,22 +918,9 @@ public abstract class AuthenticatorBase extends ValveBase
         }
 
         // Cache the authentication information in our session, if any
-        if (session != null) {
-            if (cache) {
-                session.setAuthType(authType);
-                session.setPrincipal(principal);
-            } else {
-                if (username != null) {
-                    session.setNote(Constants.SESS_USERNAME_NOTE, username);
-                } else {
-                    session.removeNote(Constants.SESS_USERNAME_NOTE);
-                }
-                if (password != null) {
-                    session.setNote(Constants.SESS_PASSWORD_NOTE, password);
-                } else {
-                    session.removeNote(Constants.SESS_PASSWORD_NOTE);
-                }
-            }
+        if (session != null && cache) {
+            session.setAuthType(authType);
+            session.setPrincipal(principal);
         }
 
         // Construct a cookie to be returned to the client
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index 1204d4c..e5e1d8d 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -369,6 +369,33 @@ public class FormAuthenticator
     }
 
 
+    @Override
+    public void register(Request request, HttpServletResponse response,
+            Principal principal, String authType, String username,
+            String password) {
+
+        super.register(request, response, principal, authType, username, password);
+
+        // If caching an authenticated Principal is turned off,
+        // store username and password as session notes to use them for re-authentication.
+        if (!cache) {
+            Session session = request.getSessionInternal(false);
+            if (session != null) {
+                if (username != null) {
+                    session.setNote(Constants.SESS_USERNAME_NOTE, username);
+                } else {
+                    session.removeNote(Constants.SESS_USERNAME_NOTE);
+                }
+                if (password != null) {
+                    session.setNote(Constants.SESS_PASSWORD_NOTE, password);
+                } else {
+                    session.removeNote(Constants.SESS_PASSWORD_NOTE);
+                }
+            }
+        }
+    }
+
+
     /**
      * Called to forward to the login page
      *
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 1d43ebd..35379ab 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -99,6 +99,10 @@
         the authenticated Principal is not cached in the session when caching is
         disabled. (markt)
       </fix>
+      <update>
+        Do not store username and password as session notes during
+        authentication if they are not needed. (kkolinko)
+      </update>
     </changelog>
   </subsection>
   <subsection name="Coyote">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org