You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/11/21 21:09:09 UTC
svn commit: r1770762 - in /tomcat/trunk:
java/org/apache/catalina/authenticator/AuthenticatorBase.java
java/org/apache/catalina/authenticator/LocalStrings.properties
webapps/docs/changelog.xml
Author: markt
Date: Mon Nov 21 21:09:09 2016
New Revision: 1770762
URL: http://svn.apache.org/viewvc?rev=1770762&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60380
Ensure that a call to HttpServletRequest#logout() triggers a call to TomcatPrincipal#logout().
Based on a patch by Michael Osipov.
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1770762&r1=1770761&r2=1770762&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java Mon Nov 21 21:09:09 2016
@@ -48,6 +48,7 @@ import org.apache.catalina.LifecycleExce
import org.apache.catalina.Manager;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
+import org.apache.catalina.TomcatPrincipal;
import org.apache.catalina.Valve;
import org.apache.catalina.Wrapper;
import org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl;
@@ -61,6 +62,7 @@ import org.apache.catalina.valves.ValveB
import org.apache.coyote.ActionCode;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.ExceptionUtils;
import org.apache.tomcat.util.descriptor.web.LoginConfig;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.apache.tomcat.util.http.FastHttpDateFormat;
@@ -1107,6 +1109,16 @@ public abstract class AuthenticatorBase
}
}
+ Principal p = request.getPrincipal();
+ if (p instanceof TomcatPrincipal) {
+ try {
+ ((TomcatPrincipal) p).logout();
+ } catch (Throwable t) {
+ ExceptionUtils.handleThrowable(t);
+ log.debug(sm.getString("authenticator.tomcatPrincipalLogoutFail"), t);
+ }
+ }
+
register(request, request.getResponse(), null, null, null, null);
}
Modified: tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties?rev=1770762&r1=1770761&r2=1770762&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties Mon Nov 21 21:09:09 2016
@@ -30,6 +30,7 @@ authenticator.notContext=Configuration e
authenticator.requestBodyTooBig=The request body was too large to be cached during the authentication process
authenticator.sessionExpired=The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser
authenticator.unauthorized=Cannot authenticate with the provided credentials
+authenticator.tomcatPrincipalLogoutFail=Logout with TomcatPrincipal instance has failed
digestAuthenticator.cacheRemove=A valid entry has been removed from client nonce cache to make room for new entries. A replay attack is now possible. To prevent the possibility of replay attacks, reduce nonceValidity or increase cnonceCacheSize. Further warnings of this type will be suppressed for 5 minutes.
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1770762&r1=1770761&r2=1770762&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Nov 21 21:09:09 2016
@@ -79,6 +79,12 @@
required. Patch provided by Michael Osipov. (markt)
</fix>
<fix>
+ <bug>60380</bug>: Ensure that a call to
+ <code>HttpServletRequest#logout()</code> triggers a call to
+ <code>TomcatPrincipal#logout()</code>. Based on a patch by Michael
+ Osipov. (markt)
+ </fix>
+ <fix>
<bug>60387</bug>: Correct the javadoc for
<code>o.a.catalina.AccessLog.setRequestAttributesEnabled</code>.
The default value is different for the different implementations.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org