You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Tomas Milian (Jira)" <ji...@apache.org> on 2023/10/19 07:31:00 UTC
[jira] [Updated] (FEDIZ-256) Tomcat authenticationSessionTimeout
[ https://issues.apache.org/jira/browse/FEDIZ-256?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tomas Milian updated FEDIZ-256:
-------------------------------
Description:
Hello,
I was configuring Fediz 1.6.1 on Tomcat 9.0.74 and found the following issue.
Tomcat 9.0.74 introduced a new FORM authenticator Valve attribute (authenticationSessionTimeout) that breaks Fediz authentication process.
{color:#172b4d}Fediz uses FormAuthenticator to save the request, the change introduced in Tomcat 9.0.74 replaces the original session timeout with the authenticationSessionTimeout default value (120 seconds).{color}
{code:java}
if (session instanceof HttpSession && ((HttpSession) session).isNew()) {
int originalMaxInactiveInterval = session.getMaxInactiveInterval();
if (originalMaxInactiveInterval > getAuthenticationSessionTimeout()) {
saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
}
} {code}
{color:#172b4d}Once the Fediz authentication is resumed, the session maxInactiveInterval is not restored, so authenticated session always ends up with a 120 second maxInactiveInterval{color}
was:
Hello,
I was configuring Fediz 1.6.1 on Tomcat 9.0.74 and found the following issue.
Tomcat 9.0.74 introduced a new FORM authenticator Valve attribute (authenticationSessionTimeout) that breaks Fediz authentication process.
{color:#172b4d}Fediz uses FormAuthenticator to save the request, the change introduced in Tomcat 9.0.74 replaces the original session timeout with the authenticationSessionTimeout default value (120 seconds).{color}
{code:java}
if (session instanceof HttpSession && ((HttpSession) session).isNew()) {
int originalMaxInactiveInterval = session.getMaxInactiveInterval();
if (originalMaxInactiveInterval > getAuthenticationSessionTimeout()) {
saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
}
} {code}
{color:#172b4d}Once the Fediz authentication is resumed, the session maxIncactiveInterval is not restored, so authenticated session always ends up with a 120 second maxInactiveInterval{color}
> Tomcat authenticationSessionTimeout
> -----------------------------------
>
> Key: FEDIZ-256
> URL: https://issues.apache.org/jira/browse/FEDIZ-256
> Project: CXF-Fediz
> Issue Type: Bug
> Components: Plugin
> Affects Versions: 1.6.1
> Reporter: Tomas Milian
> Priority: Major
>
> Hello,
> I was configuring Fediz 1.6.1 on Tomcat 9.0.74 and found the following issue.
> Tomcat 9.0.74 introduced a new FORM authenticator Valve attribute (authenticationSessionTimeout) that breaks Fediz authentication process.
> {color:#172b4d}Fediz uses FormAuthenticator to save the request, the change introduced in Tomcat 9.0.74 replaces the original session timeout with the authenticationSessionTimeout default value (120 seconds).{color}
> {code:java}
> if (session instanceof HttpSession && ((HttpSession) session).isNew()) {
> int originalMaxInactiveInterval = session.getMaxInactiveInterval();
> if (originalMaxInactiveInterval > getAuthenticationSessionTimeout()) {
> saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
> session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
> }
> } {code}
> {color:#172b4d}Once the Fediz authentication is resumed, the session maxInactiveInterval is not restored, so authenticated session always ends up with a 120 second maxInactiveInterval{color}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)