changelog.xml

markt Wed, 24 Jan 2018 08:32:41 -0800

Author: markt
Date: Wed Jan 24 16:32:31 2018
New Revision: 1822116

URL: http://svn.apache.org/viewvc?rev=1822116&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62036
When caching an authenticated user Principal in the session when the web 
application is configured with the NonLoginAuthenticator, cache the internal 
Principal object rather than the user facing Principal object as Tomcat 
requires the internal object to correctly process later authorization checks.


Modified:
    
tomcat/trunk/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java?rev=1822116&r1=1822115&r2=1822116&view=diff
==============================================================================
--- 
tomcat/trunk/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java 
(original)
+++ 
tomcat/trunk/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java 
Wed Jan 24 16:32:31 2018
@@ -80,10 +80,10 @@ public final class NonLoginAuthenticator
         // Don't try and use SSO to authenticate since there is no auth
         // configured for this web application
         if (checkForCachedAuthentication(request, response, true)) {
-            // save the inherited Principal in this session so it can remain
-            // authenticated until it expires
+            // Save the inherited Principal in this session so it can remain
+            // authenticated until it expires.
             if (cache) {
-                
request.getSessionInternal(true).setPrincipal(request.getUserPrincipal());
+                
request.getSessionInternal(true).setPrincipal(request.getPrincipal());
             }
             return true;
         }

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1822116&r1=1822115&r2=1822116&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Jan 24 16:32:31 2018
@@ -58,6 +58,13 @@
         Avoid NPE in ThreadLocalLeakPreventionListener if there is no Engine.
         (remm)
       </fix>
+      <fix>
+        <bug>62036</bug>: When caching an authenticated user Principal in the
+        session when the web application is configured with the
+        <code>NonLoginAuthenticator</code>, cache the internal Principal object
+        rather than the user facing Principal object as Tomcat requires the
+        internal object to correctly process later authorization checks. 
(markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1822116 - in /tomcat/trunk: java/org/apache/catalina/authenticator/NonLoginAuthenticator.java webapps/docs/changelog.xml

Reply via email to