svn commit: r1756056 - /tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java

Thu, 11 Aug 2016 14:58:38 -0700 

Author: markt
Date: Thu Aug 11 21:58:21 2016
New Revision: 1756056

URL: http://svn.apache.org/viewvc?rev=1756056&view=rev
Log:
Follow-up for https://bz.apache.org/bugzilla/show_bug.cgi?id=59823
HttpServletRequest#authenticate() should return false for a null Principal

Modified:
    tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1756056&r1=1756055&r2=1756056&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java 
Thu Aug 11 21:58:21 2016
@@ -549,7 +549,8 @@ public abstract class AuthenticatorBase
             }
 
             if (jaspicProvider == null && !doAuthenticate(request, response) ||
-                    jaspicProvider != null && !authenticateJaspic(request, 
response, jaspicState)) {
+                    jaspicProvider != null &&
+                            !authenticateJaspic(request, response, 
jaspicState, false)) {
                 if (log.isDebugEnabled()) {
                     log.debug(" Failed authenticate() test");
                 }
@@ -605,7 +606,7 @@ public abstract class AuthenticatorBase
                 return false;
             }
 
-            boolean result = authenticateJaspic(request, response, 
jaspicState);
+            boolean result = authenticateJaspic(request, response, 
jaspicState, true);
 
             secureResponseJspic(request, response, jaspicState);
 
@@ -730,7 +731,8 @@ public abstract class AuthenticatorBase
     }
 
 
-    private boolean authenticateJaspic(Request request, Response response, 
JaspicState state) {
+    private boolean authenticateJaspic(Request request, Response response, 
JaspicState state,
+            boolean requirePrincipal) {
 
         boolean cachedAuth = checkForCachedAuthentication(request, response, 
false);
         Subject client = new Subject();
@@ -753,6 +755,9 @@ public abstract class AuthenticatorBase
             if (principal == null) {
                 request.setUserPrincipal(null);
                 request.setAuthType(null);
+                if (requirePrincipal) {
+                    return false;
+                }
             } else if (cachedAuth == false ||
                     
!principal.getUserPrincipal().equals(request.getUserPrincipal())) {
                 // Skip registration if authentication credentials were



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to