(tomcat) branch 9.0.x updated: Add explanatory comment

Fri, 09 Jan 2026 10:24:48 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new 419b839adc Add explanatory comment
419b839adc is described below

commit 419b839adc2e089147cf8673637470c12d51a334
Author: Mark Thomas <[email protected]>
AuthorDate: Fri Jan 9 18:23:47 2026 +0000

    Add explanatory comment
---
 .../catalina/authenticator/AuthenticatorBase.java       | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java 
b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index 39680288b9..6961150583 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -886,6 +886,23 @@ public abstract class AuthenticatorBase extends ValveBase 
implements Authenticat
     protected boolean checkForCachedAuthentication(Request request, 
HttpServletResponse response,
             boolean useSsoCachedUserAndPassword) {
 
+        /*
+         * There are two methods for authentication caching implemented by the 
SSO Valve. The first caches the
+         * authenticated Principal returned by the Realm. The second caches 
the user name and password passed to the
+         * Realm that were used for authentication.
+         *
+         * If cached authentication is not available or fails for any reason, 
the Authenticator will attempt the normal
+         * authentication process for the Authenticator.
+         *
+         * Which cached authentication methods are used depends on the 
configuration of the SSO Valve and/or the
+         * Authenticator.
+         *
+         * If the SSO Valve is configured to require re-authentication, any 
cached Principal will not be used.
+         *
+         * If the SSO Valve is configured to require re-authentication, 
whether the cached user name and password can be
+         * used will be determined by the calling Authenticator type.
+         */
+
         // Has the user already been authenticated?
         Principal principal = request.getUserPrincipal();
         String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to