DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=43477>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43477 Summary: Bug fix 41217 causes another bug Product: Tomcat 6 Version: 6.0.4 Platform: Sun OS/Version: Solaris Status: NEW Severity: blocker Priority: P2 Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] In the package "org.apache.catalina.authenticator", someone made modification in the abstact class "AuthenticatorBase" to keep the SSO cookie secure if it was previously secure See the snapshot of the code register(Request request, Response response, Principal principal, String authType, String username, String password) { ... // Bugzilla 41217 cookie.setSecure(request.isSecure()); ... } So in this case you force all applications to run under ssl if the sso cookie was created under ssl. See this scenario: 1- I have a web application "myapp" with 2 simples jsp pages - one page contains 5 links to 5 applications (so I have 6 applications) - other jsp is a login page (FORM based authentication j-security-check) 2- All my applications are secured and running in the same tomcat under SSO 3- I logon in to my application "myapp" using SSL to protect my password and the jsp with a list of 5 applications is displayed and all is OK 4- In this case the sso cookie isSecure() and is transmitted only in SSL request 5- I click one link in the list and if the link uses https it works fine, but if i want to use a link in http the authentication fails So to work fine, I have to make all my applications in SSL mode otherwise the sso fails because the cookie was created in ssl mode. I think it's a bad restriction. What do you think? thanks Mustapha AIT-IDIR -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
