You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2017/03/06 20:46:44 UTC
svn commit: r1785762 - in /tomcat/trunk:
java/org/apache/catalina/connector/Request.java webapps/docs/changelog.xml
Author: markt
Date: Mon Mar 6 20:46:44 2017
New Revision: 1785762
URL: http://svn.apache.org/viewvc?rev=1785762&view=rev
Log:
Correctly cache the Subject in the session - if there is a session - when running under a SecurityManager.
Patch provided by Jan Engehausen.
Modified:
tomcat/trunk/java/org/apache/catalina/connector/Request.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=1785762&r1=1785761&r2=1785762&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Mon Mar 6 20:46:44 2017
@@ -1865,24 +1865,35 @@ public class Request implements HttpServ
*
* @param principal The user Principal
*/
- public void setUserPrincipal(Principal principal) {
-
- if (Globals.IS_SECURITY_ENABLED){
- HttpSession session = getSession(false);
- if ( (subject != null) &&
- (!subject.getPrincipals().contains(principal)) ){
- subject.getPrincipals().add(principal);
- } else if (session != null &&
- session.getAttribute(Globals.SUBJECT_ATTR) == null) {
- subject = new Subject();
+ public void setUserPrincipal(final Principal principal) {
+ if (Globals.IS_SECURITY_ENABLED) {
+ if (subject == null) {
+ final HttpSession session = getSession(false);
+ if (session == null) {
+ // Cache the subject in the request
+ subject = newSubject(principal);
+ } else {
+ // Cache the subject in the request and the session
+ subject = (Subject) session.getAttribute(Globals.SUBJECT_ATTR);
+ if (subject == null) {
+ subject = newSubject(principal);
+ session.setAttribute(Globals.SUBJECT_ATTR, subject);
+ } else {
+ subject.getPrincipals().add(principal);
+ }
+ }
+ } else {
subject.getPrincipals().add(principal);
}
- if (session != null){
- session.setAttribute(Globals.SUBJECT_ATTR, subject);
- }
}
+ userPrincipal = principal;
+ }
+
- this.userPrincipal = principal;
+ private Subject newSubject(final Principal principal) {
+ final Subject result = new Subject();
+ result.getPrincipals().add(principal);
+ return result;
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1785762&r1=1785761&r2=1785762&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Mar 6 20:46:44 2017
@@ -162,6 +162,11 @@
<code>ServletRequest.getParameterMap()</code> is fully immutable. Based
on a patch provided by woosan. (markt)
</fix>
+ <fix>
+ <bug>60824</bug>: Correctly cache the <code>Subject</code> in the
+ session - if there is a session - when running under a
+ <code>SecurityManager</code>. Patch provided by Jan Engehausen. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org