You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/11/21 21:09:09 UTC

svn commit: r1770762 - in /tomcat/trunk: java/org/apache/catalina/authenticator/AuthenticatorBase.java java/org/apache/catalina/authenticator/LocalStrings.properties webapps/docs/changelog.xml

Author: markt
Date: Mon Nov 21 21:09:09 2016
New Revision: 1770762

URL: http://svn.apache.org/viewvc?rev=1770762&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60380
Ensure that a call to HttpServletRequest#logout() triggers a call to TomcatPrincipal#logout().
Based on a patch by Michael Osipov.

Modified:
    tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
    tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1770762&r1=1770761&r2=1770762&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java Mon Nov 21 21:09:09 2016
@@ -48,6 +48,7 @@ import org.apache.catalina.LifecycleExce
 import org.apache.catalina.Manager;
 import org.apache.catalina.Realm;
 import org.apache.catalina.Session;
+import org.apache.catalina.TomcatPrincipal;
 import org.apache.catalina.Valve;
 import org.apache.catalina.Wrapper;
 import org.apache.catalina.authenticator.jaspic.CallbackHandlerImpl;
@@ -61,6 +62,7 @@ import org.apache.catalina.valves.ValveB
 import org.apache.coyote.ActionCode;
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.ExceptionUtils;
 import org.apache.tomcat.util.descriptor.web.LoginConfig;
 import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
 import org.apache.tomcat.util.http.FastHttpDateFormat;
@@ -1107,6 +1109,16 @@ public abstract class AuthenticatorBase
             }
         }
 
+        Principal p = request.getPrincipal();
+        if (p instanceof TomcatPrincipal) {
+            try {
+                ((TomcatPrincipal) p).logout();
+            } catch (Throwable t) {
+                ExceptionUtils.handleThrowable(t);
+                log.debug(sm.getString("authenticator.tomcatPrincipalLogoutFail"), t);
+            }
+        }
+
         register(request, request.getResponse(), null, null, null, null);
     }
 

Modified: tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties?rev=1770762&r1=1770761&r2=1770762&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/LocalStrings.properties Mon Nov 21 21:09:09 2016
@@ -30,6 +30,7 @@ authenticator.notContext=Configuration e
 authenticator.requestBodyTooBig=The request body was too large to be cached during the authentication process
 authenticator.sessionExpired=The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser
 authenticator.unauthorized=Cannot authenticate with the provided credentials
+authenticator.tomcatPrincipalLogoutFail=Logout with TomcatPrincipal instance has failed
 
 digestAuthenticator.cacheRemove=A valid entry has been removed from client nonce cache to make room for new entries. A replay attack is now possible. To prevent the possibility of replay attacks, reduce nonceValidity or increase cnonceCacheSize. Further warnings of this type will be suppressed for 5 minutes.
 

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1770762&r1=1770761&r2=1770762&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Nov 21 21:09:09 2016
@@ -79,6 +79,12 @@
         required. Patch provided by Michael Osipov. (markt)
       </fix>
       <fix>
+        <bug>60380</bug>: Ensure that a call to
+        <code>HttpServletRequest#logout()</code> triggers a call to
+        <code>TomcatPrincipal#logout()</code>. Based on a patch by Michael
+        Osipov. (markt)
+      </fix>
+      <fix>
         <bug>60387</bug>: Correct the javadoc for
         <code>o.a.catalina.AccessLog.setRequestAttributesEnabled</code>.
         The default value is different for the different implementations.



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org