On 27/11/2025 10:55, Rémy Maucherat wrote:
On Wed, Nov 26, 2025 at 8:54 PM Mark Thomas <[email protected]> wrote:
<snip/>
So, finally, to potential changes.
I had considered removing the requireReauthentication attribute from the
SSO Valve but I think it still serves a purpose and is worth keeping.
Removing it would also create migration work for users. I proposed the
following:
- add an ssoReauthenticationMode to the Authenticator interface with
three possible values (all case insensitive)
- cached - add the cached Principal to the request
- userPassword - authenticate to the Realm with the cached
username and password from BASIC/FORM
- full - perform the standard authentication for the authenticator
using information provided in the request
I don't understand how the "cached" value works since it conflicts
with the value of the requireReauthentication flag from SingleSignOn.
Yes. The intention is that because enabling requireReauthentication
applies to every web application using SSO, the "cached" option allows
this to "undone" on a per web application basis.
Then this sounds like ending up changing the
checkForCachedAuthentication method signature since the useSSO flag is
not useful. Any custom authenticator would use it (I mean: have cut
and pasted the code that calls it to do the magical stuff, from the
BasicAuthenticator code :) ), so maybe a bad plan.
I haven't got as far as figuring out what the implementation would look
like. The intention would be to ensure that it remained backwards
compatible. That might require some adjustments to the plan.
- if requireReauthentication is not enabled, all authenticators
use the "cached" mode (no change)
- if requireReauthentication is enabled
- BASIC and FORM reauthenticate use "userPassword" mode by default
(no change).
- SPNEGO used "full" mode by default (change)
+1 for changing this one.
ACK. That is an easy one I can get done quickly.
- DIGEST and CLIENT-CERT used "full" mode by default (no change)
- individual authenticators can override the default
re-authentication mode to one of cached, userPassword, full
There is an argument to switch DIGEST to "userPassword" mode by default
if requireReauthentication is enabled but I'm not sure there is enough
of a reason to change the current behaviour.
If you followed my ramblings this far - thank you. Thoughts?
I missed something.
Hopefully I've explained myself better this time.
Mark
Rémy
Mark
[1] https://github.com/apache/tomcat/pull/890
[2] https://bz.apache.org/bugzilla/show_bug.cgi?id=23881
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
