This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 8e7f0fc06a Check SSO configuration on start
8e7f0fc06a is described below
commit 8e7f0fc06a1947dfdd5a881623e16cfae0d00125
Author: remm <[email protected]>
AuthorDate: Mon Oct 6 13:54:51 2025 +0200
Check SSO configuration on start
Log a warning if the SSO does not comply with the documentation.
---
.../catalina/authenticator/LocalStrings.properties | 2 ++
.../catalina/authenticator/SingleSignOn.java | 38 +++++++++++++++++++---
webapps/docs/changelog.xml | 4 +++
3 files changed, 39 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/LocalStrings.properties
b/java/org/apache/catalina/authenticator/LocalStrings.properties
index b9c62d8502..126507b5db 100644
--- a/java/org/apache/catalina/authenticator/LocalStrings.properties
+++ b/java/org/apache/catalina/authenticator/LocalStrings.properties
@@ -79,6 +79,8 @@ singleSignOn.debug.removeSession=SSO removing application
session [{0}] from SSO
singleSignOn.debug.sessionLogout=SSO processing a log out for SSO session
[{0}] and application session [{1}]
singleSignOn.debug.sessionTimeout=SSO processing a time out for SSO session
[{0}] and application session [{1}]
singleSignOn.debug.update=SSO updating SSO session [{0}] to authentication
type [{1}]
+singleSignOn.duplicateRealm=SSO found a realm defined on context [{0}], this
will conflict with principals defined in the main realm
+singleSignOn.noRealm=This SSO [{0}] has no realm associated with it
singleSignOn.sessionExpire.contextNotFound=SSO unable to expire session [{0}]
because the Context could not be found
singleSignOn.sessionExpire.engineNull=SSO unable to expire session [{0}]
because the Engine was null
singleSignOn.sessionExpire.hostNotFound=SSO unable to expire session [{0}]
because the Host could not be found
diff --git a/java/org/apache/catalina/authenticator/SingleSignOn.java
b/java/org/apache/catalina/authenticator/SingleSignOn.java
index c5fe8d853b..1d31889965 100644
--- a/java/org/apache/catalina/authenticator/SingleSignOn.java
+++ b/java/org/apache/catalina/authenticator/SingleSignOn.java
@@ -28,6 +28,7 @@ import jakarta.servlet.http.Cookie;
import org.apache.catalina.Container;
import org.apache.catalina.Context;
import org.apache.catalina.Engine;
+import org.apache.catalina.Host;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Manager;
import org.apache.catalina.Realm;
@@ -569,12 +570,39 @@ public class SingleSignOn extends ValveBase {
@Override
protected void startInternal() throws LifecycleException {
- Container c = getContainer();
- while (c != null && !(c instanceof Engine)) {
- c = c.getParent();
+ Container container = getContainer();
+ while (container != null && !(container instanceof Engine)) {
+ container = container.getParent();
}
- if (c != null) {
- engine = (Engine) c;
+ if (container != null) {
+ engine = (Engine) container;
+ }
+ // Starting with the associated container, verify it has a realm
associated,
+ // and that no child container returns a different realm
+ container = getContainer();
+ Realm containerRealm = container.getRealm();
+ if (containerRealm == null) {
+ containerLog.warn(sm.getString("singleSignOn.noRealm",
container.getName()));
+ } else {
+ if (container instanceof Engine) {
+ for (Container host : engine.findChildren()) {
+ if (host.getRealm() != containerRealm) {
+
containerLog.warn(sm.getString("singleSignOn.duplicateRealm", host.getName()));
+ } else {
+ for (Container context : host.findChildren()) {
+ if (context.getRealm() != containerRealm) {
+
containerLog.warn(sm.getString("singleSignOn.duplicateRealm",
context.getName()));
+ }
+ }
+ }
+ }
+ } else if (container instanceof Host) {
+ for (Container context : container.findChildren()) {
+ if (context.getRealm() != containerRealm) {
+
containerLog.warn(sm.getString("singleSignOn.duplicateRealm",
context.getName()));
+ }
+ }
+ }
}
super.startInternal();
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 93dab623e4..e036c90676 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -113,6 +113,10 @@
Configuration via regular expression has been deprecated and will be
removed in Tomcat 12. (markt)
</add>
+ <fix>
+ Log warnings when the SSO configuration does not comply with the
+ documentation. (remm)
+ </fix>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
