This is an automated email from the ASF dual-hosted git repository. kkolinko pushed a commit to branch 7.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push: new fb0d5b6 Do not store username and password as session notes during authentication if they are not needed. fb0d5b6 is described below commit fb0d5b6cd4a3b0de6bd78dae906d95ef5616d965 Author: Konstantin Kolinko <kkoli...@apache.org> AuthorDate: Wed Dec 11 13:17:42 2019 +0300 Do not store username and password as session notes during authentication if they are not needed. Only FormAuthenticator reads those notes and only in the rare case when caching is turned off. Other authenticators do not need them. If any third-party authenticator has a need, it is possible to overwrite register(..) like FormAuthenticator does here. It is a review of commit 1ecba14e690cf5f3f143eef6ae7037a6d3c16652. --- .../catalina/authenticator/AuthenticatorBase.java | 19 +++------------ .../catalina/authenticator/FormAuthenticator.java | 27 ++++++++++++++++++++++ webapps/docs/changelog.xml | 4 ++++ 3 files changed, 34 insertions(+), 16 deletions(-) diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java index 52bff92..f5e76a3 100644 --- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java +++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java @@ -918,22 +918,9 @@ public abstract class AuthenticatorBase extends ValveBase } // Cache the authentication information in our session, if any - if (session != null) { - if (cache) { - session.setAuthType(authType); - session.setPrincipal(principal); - } else { - if (username != null) { - session.setNote(Constants.SESS_USERNAME_NOTE, username); - } else { - session.removeNote(Constants.SESS_USERNAME_NOTE); - } - if (password != null) { - session.setNote(Constants.SESS_PASSWORD_NOTE, password); - } else { - session.removeNote(Constants.SESS_PASSWORD_NOTE); - } - } + if (session != null && cache) { + session.setAuthType(authType); + session.setPrincipal(principal); } // Construct a cookie to be returned to the client diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java index 1204d4c..e5e1d8d 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -369,6 +369,33 @@ public class FormAuthenticator } + @Override + public void register(Request request, HttpServletResponse response, + Principal principal, String authType, String username, + String password) { + + super.register(request, response, principal, authType, username, password); + + // If caching an authenticated Principal is turned off, + // store username and password as session notes to use them for re-authentication. + if (!cache) { + Session session = request.getSessionInternal(false); + if (session != null) { + if (username != null) { + session.setNote(Constants.SESS_USERNAME_NOTE, username); + } else { + session.removeNote(Constants.SESS_USERNAME_NOTE); + } + if (password != null) { + session.setNote(Constants.SESS_PASSWORD_NOTE, password); + } else { + session.removeNote(Constants.SESS_PASSWORD_NOTE); + } + } + } + } + + /** * Called to forward to the login page * diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 1d43ebd..35379ab 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -99,6 +99,10 @@ the authenticated Principal is not cached in the session when caching is disabled. (markt) </fix> + <update> + Do not store username and password as session notes during + authentication if they are not needed. (kkolinko) + </update> </changelog> </subsection> <subsection name="Coyote"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org