This is an automated email from the ASF dual-hosted git repository.
dsoumis pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new df3f762e96 Refactor FormAuthenticator to remove code duplication
df3f762e96 is described below
commit df3f762e966951020bfa3806e7113750951ad71c
Author: Dimitris Soumis <[email protected]>
AuthorDate: Mon Jan 19 15:26:23 2026 +0200
Refactor FormAuthenticator to remove code duplication
---
.../catalina/authenticator/FormAuthenticator.java | 38 +++++++++++-----------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java
b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index b1079e2c93..85dbe1133e 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -357,15 +357,7 @@ public class FormAuthenticator extends AuthenticatorBase {
// a resource is protected for some HTTP methods but not protected for
// GET which is used after authentication when redirecting to the
// protected resource.
- // TODO: This is similar to the FormAuthenticator.matchRequest() logic
- // Is there a way to remove the duplication?
- Session session = request.getSessionInternal(false);
- if (session != null) {
- SavedRequest savedRequest = (SavedRequest)
session.getNote(Constants.FORM_REQUEST_NOTE);
- return savedRequest != null &&
decodedRequestURI.equals(savedRequest.getDecodedRequestURI());
- }
-
- return false;
+ return matchRequest(request, false);
}
@@ -499,15 +491,21 @@ public class FormAuthenticator extends AuthenticatorBase {
}
+ protected boolean matchRequest(Request request) {
+ return matchRequest(request, true);
+ }
+
/**
* Does this request match the saved one (so that it must be the redirect
we signaled after successful
* authentication?)
*
* @param request The request to be verified
+ * @param strict <code>true</code> to check for a valid Principal and
valid Session ID, <code>false</code> to only
+ * check for a valid saved request and matching URI
*
* @return <code>true</code> if the requests matched the saved one
*/
- protected boolean matchRequest(Request request) {
+ protected boolean matchRequest(Request request, boolean strict) {
// Has a session been created?
Session session = request.getSessionInternal(false);
if (session == null) {
@@ -520,17 +518,19 @@ public class FormAuthenticator extends AuthenticatorBase {
return false;
}
- // Is there a saved principal?
- if (cache && session.getPrincipal() == null || !cache &&
request.getPrincipal() == null) {
- return false;
- }
-
- // Does session id match?
- if (getChangeSessionIdOnAuthentication()) {
- String expectedSessionId = (String)
session.getNote(Constants.SESSION_ID_NOTE);
- if (expectedSessionId == null ||
!expectedSessionId.equals(request.getRequestedSessionId())) {
+ if (strict) {
+ // Is there a saved principal?
+ if (cache && session.getPrincipal() == null || !cache &&
request.getPrincipal() == null) {
return false;
}
+
+ // Does session id match?
+ if (getChangeSessionIdOnAuthentication()) {
+ String expectedSessionId = (String)
session.getNote(Constants.SESSION_ID_NOTE);
+ if (expectedSessionId == null ||
!expectedSessionId.equals(request.getRequestedSessionId())) {
+ return false;
+ }
+ }
}
// Does the request URI match?
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
