(activemq-artemis) branch main updated: ARTEMIS-4420 user auth leaks into non-Artemis servlets

Wed, 22 May 2024 12:10:36 -0700 

This is an automated email from the ASF dual-hosted git repository.

jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git


The following commit(s) were added to refs/heads/main by this push:
     new e13d65b16d ARTEMIS-4420 user auth leaks into non-Artemis servlets
e13d65b16d is described below

commit e13d65b16d4ac1c5edccc51f99cc7c33994f07f1
Author: Justin Bertram <[email protected]>
AuthorDate: Wed May 22 09:08:45 2024 -0500

    ARTEMIS-4420 user auth leaks into non-Artemis servlets
---
 .../activemq/artemis/component/WebServerComponent.java | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git 
a/artemis-web/src/main/java/org/apache/activemq/artemis/component/WebServerComponent.java
 
b/artemis-web/src/main/java/org/apache/activemq/artemis/component/WebServerComponent.java
index 88c828e36f..4b77d51641 100644
--- 
a/artemis-web/src/main/java/org/apache/activemq/artemis/component/WebServerComponent.java
+++ 
b/artemis-web/src/main/java/org/apache/activemq/artemis/component/WebServerComponent.java
@@ -17,6 +17,10 @@
 package org.apache.activemq.artemis.component;
 
 import javax.servlet.DispatcherType;
+import javax.servlet.ServletContextEvent;
+import javax.servlet.ServletContextListener;
+import javax.servlet.ServletRequestEvent;
+import javax.servlet.ServletRequestListener;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
@@ -40,6 +44,7 @@ import org.apache.activemq.artemis.dto.AppDTO;
 import org.apache.activemq.artemis.dto.BindingDTO;
 import org.apache.activemq.artemis.dto.ComponentDTO;
 import org.apache.activemq.artemis.dto.WebServerDTO;
+import org.apache.activemq.artemis.logs.AuditLogger;
 import org.apache.activemq.artemis.marker.WebServerComponentMarker;
 import org.apache.activemq.artemis.utils.ClassloadingUtil;
 import org.apache.activemq.artemis.utils.PemConfigUtil;
@@ -166,6 +171,19 @@ public class WebServerComponent implements 
ExternalComponent, WebServerComponent
                handlers.addHandler(webContext);
                webContext.setInitParameter(DIR_ALLOWED, "false");
                
webContext.getSessionHandler().getSessionCookieConfig().setComment("__SAME_SITE_STRICT__");
+               webContext.addEventListener(new ServletContextListener() {
+                  @Override
+                  public void contextInitialized(ServletContextEvent sce) {
+                     sce.getServletContext().addListener(new 
ServletRequestListener() {
+                        @Override
+                        public void requestDestroyed(ServletRequestEvent sre) {
+                           ServletRequestListener.super.requestDestroyed(sre);
+                           AuditLogger.currentCaller.remove();
+                           AuditLogger.remoteAddress.remove();
+                        }
+                     });
+                  }
+               });
                webContextData.add(new Pair(webContext, binding.uri));
             }
          }

Reply via email to