You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Brian Stansberry <br...@wanconcepts.com> on 2003/11/24 21:27:11 UTC

Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java SSLAuthentic

At 08:21 PM 11/24/2003 +0100, Remy wrote:
>Brian Stansberry wrote:
>>At 11:56 AM 11/24/2003 -0600, Luke Nelson wrote:
>>
>>>I have tried applying the patch, and I found three problems with
>>>it. First, its removal of a session from the SingleSignOnEntry
>>>object causes an IndexOutOfBounds exception.  Second, the method
>>>for determining whether the user explicitly logged out or whether a
>>>session timed out doesn't scale one of the numbers correctly (i.e.
>>>comparing millisecond values to seconds).  I have fixed the patch,
>>>but I don't have a diff of it yet (I'm new to helping with this
>>>project).  Finally, the patch doesn't synchronize on 'reverse' when
>>>removing an entry from it.
>>
>>I also looked at the code for StandardSession.getLastAccessedTime()
>>and it looks as if it will throw an IllegalStateException if the
>>session is expired.  So that would break the algorithm used in the
>>9077 patch.
>>BTW, the javadoc for javax.servlet.http.HttpSession doesn't specify
>>throwing an IllegalStateException for a call to
>>getLastAccessedTime().  It looks as if the exception throw  was added
>>in response to bug 15967, which stated that the javadoc does specify
>>the exception, but I'm looking at the javadoc for both Servlet 2.3
>>and 2.4, and in both cases it's not specified.
>
>Can you address those issues ASAP ? (incl the array out of bounds and the sync issue)

Sure; I'm starting on it now.  However, Jean-Francois found a HttpSession javadoc that specifies throwing an IllegalStateException in getLastAccessedTime().  If that is in the final spec, the 9077 patch algorithm will not work.  I'll work on it anyway in case the exception's not in the final spec.

As a backup, I've attached a patch that restores your earlier removal of the logout code.


Brian Stansberry
WAN Concepts, Inc.
www.wanconcepts.com
Tel:    (510) 894-0114 x 116
Fax:    (510) 797-3005