(tomcat) branch main updated: Add explanatory comment

Fri, 09 Jan 2026 10:24:06 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new d64874b2e4 Add explanatory comment
d64874b2e4 is described below

commit d64874b2e48e053ca902565d590b32ae5fd7c097
Author: Mark Thomas <[email protected]>
AuthorDate: Fri Jan 9 18:23:47 2026 +0000

    Add explanatory comment
---
 .../catalina/authenticator/AuthenticatorBase.java       | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java 
b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index 3147692509..de9ecc6c26 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -887,6 +887,23 @@ public abstract class AuthenticatorBase extends ValveBase 
implements Authenticat
     protected boolean checkForCachedAuthentication(Request request, 
HttpServletResponse response,
             boolean useSsoCachedUserAndPassword) {
 
+        /*
+         * There are two methods for authentication caching implemented by the 
SSO Valve. The first caches the
+         * authenticated Principal returned by the Realm. The second caches 
the user name and password passed to the
+         * Realm that were used for authentication.
+         *
+         * If cached authentication is not available or fails for any reason, 
the Authenticator will attempt the normal
+         * authentication process for the Authenticator.
+         *
+         * Which cached authentication methods are used depends on the 
configuration of the SSO Valve and/or the
+         * Authenticator.
+         *
+         * If the SSO Valve is configured to require re-authentication, any 
cached Principal will not be used.
+         *
+         * If the SSO Valve is configured to require re-authentication, 
whether the cached user name and password can be
+         * used will be determined by the calling Authenticator type.
+         */
+
         // Has the user already been authenticated?
         Principal principal = request.getUserPrincipal();
         String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to