On Thu, Nov 27, 2025 at 12:23 PM Mark Thomas <[email protected]> wrote: > > On 27/11/2025 10:55, Rémy Maucherat wrote: > > On Wed, Nov 26, 2025 at 8:54 PM Mark Thomas <[email protected]> wrote: > > <snip/> > > >> So, finally, to potential changes. > >> > >> I had considered removing the requireReauthentication attribute from the > >> SSO Valve but I think it still serves a purpose and is worth keeping. > >> Removing it would also create migration work for users. I proposed the > >> following: > >> - add an ssoReauthenticationMode to the Authenticator interface with > >> three possible values (all case insensitive) > >> - cached - add the cached Principal to the request > >> - userPassword - authenticate to the Realm with the cached > >> username and password from BASIC/FORM > >> - full - perform the standard authentication for the authenticator > >> using information provided in the request > > > > I don't understand how the "cached" value works since it conflicts > > with the value of the requireReauthentication flag from SingleSignOn. > > Yes. The intention is that because enabling requireReauthentication > applies to every web application using SSO, the "cached" option allows > this to "undone" on a per web application basis.
Oh, I missed that. Ok. > > Then this sounds like ending up changing the > > checkForCachedAuthentication method signature since the useSSO flag is > > not useful. Any custom authenticator would use it (I mean: have cut > > and pasted the code that calls it to do the magical stuff, from the > > BasicAuthenticator code :) ), so maybe a bad plan. > > I haven't got as far as figuring out what the implementation would look > like. The intention would be to ensure that it remained backwards > compatible. That might require some adjustments to the plan. Ok then. > > > >> - if requireReauthentication is not enabled, all authenticators > >> use the "cached" mode (no change) > >> - if requireReauthentication is enabled > >> - BASIC and FORM reauthenticate use "userPassword" mode by default > >> (no change). > >> - SPNEGO used "full" mode by default (change) > > > > +1 for changing this one. > > ACK. That is an easy one I can get done quickly. > > > > >> - DIGEST and CLIENT-CERT used "full" mode by default (no change) > >> - individual authenticators can override the default > >> re-authentication mode to one of cached, userPassword, full > >> > >> There is an argument to switch DIGEST to "userPassword" mode by default > >> if requireReauthentication is enabled but I'm not sure there is enough > >> of a reason to change the current behaviour. > >> > >> If you followed my ramblings this far - thank you. Thoughts? > > > > I missed something. > > Hopefully I've explained myself better this time. Yes, perfect. Rémy > Mark > > > > > > Rémy > > > >> Mark > >> > >> > >> [1] https://github.com/apache/tomcat/pull/890 > >> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=23881 > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [email protected] > >> For additional commands, e-mail: [email protected] > >> > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
