https://bz.apache.org/bugzilla/show_bug.cgi?id=64712
Bug ID: 64712 Summary: javax.servlet.http.authType not evaluated after JASPIC authentication success Product: Tomcat 9 Version: 9.0.37 Hardware: PC Status: NEW Severity: minor Priority: P2 Component: JASPIC Assignee: dev@tomcat.apache.org Reporter: robert.rodew...@kopsis.com Target Milestone: ----- According to the JASPIC 1.1 specification (section 3.8.4) a ServerAuthModule should be able to specify the authType by returning it under the key "javax.servlet.http.authType" in the map of the messageInfo object. Tomcat ignores the map and simply sets the authType to "JASPIC". Here is the code form AuthenticatorBase: Map map = state.messageInfo.getMap(); if (map != null && map.containsKey("javax.servlet.http.registerSession")) { register(request, response, principal, "JASPIC", null, null, true, true); } else { register(request, response, principal, "JASPIC", null, null); } In my opinion the hard-coded authType "JASPIC" should be replaced by: map.getOrDefault("javax.servlet.http.authType", "JASPIC") -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org