You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2012/11/11 17:42:03 UTC

svn commit: r1408044 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/authenticator/FormAuthenticator.java webapps/docs/changelog.xml

Author: kkolinko
Date: Sun Nov 11 16:42:02 2012
New Revision: 1408044

URL: http://svn.apache.org/viewvc?rev=1408044&view=rev
Log:
Merged revision 1408043 from tomcat/trunk:
In FormAuthenticator: If it is configured to change Session IDs,
do the change before displaying the login form.

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1408043

Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1408044&r1=1408043&r2=1408044&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Sun Nov 11 16:42:02 2012
@@ -31,6 +31,7 @@ import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.catalina.Manager;
 import org.apache.catalina.Realm;
 import org.apache.catalina.Session;
 import org.apache.catalina.connector.Request;
@@ -404,6 +405,15 @@ public class FormAuthenticator
             return;
         }
 
+        if (getChangeSessionIdOnAuthentication()) {
+            Session session = request.getSessionInternal(false);
+            if (session != null) {
+                Manager manager = request.getContext().getManager();
+                manager.changeSessionId(session);
+                request.changeSessionId(session.getId());
+            }
+        }
+
         // Always use GET for the login page, regardless of the method used
         String oldMethod = request.getMethod();
         request.getCoyoteRequest().method().setString("GET");

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1408044&r1=1408043&r2=1408044&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Sun Nov 11 16:42:02 2012
@@ -114,6 +114,10 @@
         <bug>54127</bug>: Add support for sending a WebSocket Ping. Patch
         provided by Sean Winterberger. (markt)
       </add>
+      <fix>
+        In FormAuthenticator: If it is configured to change Session IDs,
+        do the change before displaying the login form. (kkolinko)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org