https://bz.apache.org/bugzilla/show_bug.cgi?id=64712
Bug ID: 64712
Summary: javax.servlet.http.authType not evaluated after JASPIC
authentication success
Product: Tomcat 9
Version: 9.0.37
Hardware: PC
Status: NEW
Severity: minor
Priority: P2
Component: JASPIC
Assignee: dev@tomcat.apache.org
Reporter: robert.rodew...@kopsis.com
Target Milestone: -----
According to the JASPIC 1.1 specification (section 3.8.4) a ServerAuthModule
should be able to specify the authType by returning it under the key
"javax.servlet.http.authType" in the map of the messageInfo object. Tomcat
ignores the map and simply sets the authType to "JASPIC".
Here is the code form AuthenticatorBase:
Map map = state.messageInfo.getMap();
if (map != null && map.containsKey("javax.servlet.http.registerSession")) {
register(request, response, principal, "JASPIC", null, null, true, true);
} else {
register(request, response, principal, "JASPIC", null, null);
}
In my opinion the hard-coded authType "JASPIC" should be replaced by:
map.getOrDefault("javax.servlet.http.authType", "JASPIC")
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
