You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2012/11/11 17:42:03 UTC
svn commit: r1408044 - in /tomcat/tc7.0.x/trunk: ./
java/org/apache/catalina/authenticator/FormAuthenticator.java
webapps/docs/changelog.xml
Author: kkolinko
Date: Sun Nov 11 16:42:02 2012
New Revision: 1408044
URL: http://svn.apache.org/viewvc?rev=1408044&view=rev
Log:
Merged revision 1408043 from tomcat/trunk:
In FormAuthenticator: If it is configured to change Session IDs,
do the change before displaying the login form.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1408043
Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java?rev=1408044&r1=1408043&r2=1408044&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/FormAuthenticator.java Sun Nov 11 16:42:02 2012
@@ -31,6 +31,7 @@ import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.catalina.Manager;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
import org.apache.catalina.connector.Request;
@@ -404,6 +405,15 @@ public class FormAuthenticator
return;
}
+ if (getChangeSessionIdOnAuthentication()) {
+ Session session = request.getSessionInternal(false);
+ if (session != null) {
+ Manager manager = request.getContext().getManager();
+ manager.changeSessionId(session);
+ request.changeSessionId(session.getId());
+ }
+ }
+
// Always use GET for the login page, regardless of the method used
String oldMethod = request.getMethod();
request.getCoyoteRequest().method().setString("GET");
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1408044&r1=1408043&r2=1408044&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Sun Nov 11 16:42:02 2012
@@ -114,6 +114,10 @@
<bug>54127</bug>: Add support for sending a WebSocket Ping. Patch
provided by Sean Winterberger. (markt)
</add>
+ <fix>
+ In FormAuthenticator: If it is configured to change Session IDs,
+ do the change before displaying the login form. (kkolinko)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org