Author: markt
Date: Sun Dec 20 17:48:53 2009
New Revision: 892622
URL: http://svn.apache.org/viewvc?rev=892622&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=39231
Make sure LoginModule.logout() is called when using JAASRealm
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/realm/GenericPrincipal.java
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/realm/JAASRealm.java
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/LocalStrings.properties
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/StandardSession.java
tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=892622&r1=892621&r2=892622&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Sun Dec 20 17:48:53 2009
@@ -33,13 +33,6 @@
0: fhanik - big step for an old branch, could be risky, I'd wait until
after next release if we consider it
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=39231
- It is updated version of Mark's patch,
- where the new method in JAASRealm calls the old one.
- http://people.apache.org/~kkolinko/patches/2009-11-02_bug39231.patch
- +1: kkolinko, markt, rjung
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=39844
Port r588477 (fix for #43668) by billbarker that corrected this for Tomcat 6
http://people.apache.org/~markt/patches/2009-07-11-bug39844.patch
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/realm/GenericPrincipal.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/realm/GenericPrincipal.java?rev=892622&r1=892621&r2=892622&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/realm/GenericPrincipal.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/realm/GenericPrincipal.java
Sun Dec 20 17:48:53 2009
@@ -22,6 +22,9 @@
import java.security.Principal;
import java.util.Arrays;
import java.util.List;
+
+import javax.security.auth.login.LoginContext;
+
import org.apache.catalina.Realm;
@@ -84,6 +87,26 @@
public GenericPrincipal(Realm realm, String name, String password,
List roles, Principal userPrincipal) {
+ this(realm, name, password, roles, userPrincipal, null);
+ }
+
+ /**
+ * Construct a new Principal, associated with the specified Realm, for the
+ * specified username and password, with the specified role names
+ * (as Strings).
+ *
+ * @param realm The Realm that owns this principal
+ * @param name The username of the user represented by this Principal
+ * @param password Credentials used to authenticate this user
+ * @param roles List of roles (must be Strings) possessed by this user
+ * @param userPrincipal - the principal to be returned from the request
+ * getUserPrincipal call if not null; if null, this will be returned
+ * @param loginContext - If provided, this will be used to log out the
user
+ * at the appropriate time
+ */
+ public GenericPrincipal(Realm realm, String name, String password,
+ List roles, Principal userPrincipal,
+ LoginContext loginContext) {
super();
this.realm = realm;
this.name = name;
@@ -95,6 +118,7 @@
if (this.roles.length > 0)
Arrays.sort(this.roles);
}
+ this.loginContext = loginContext;
}
@@ -159,6 +183,16 @@
}
}
+
+ /**
+ * The JAAS LoginContext, if any, used to authenticate this Principal.
+ * Kept so we can call logout().
+ */
+ protected LoginContext loginContext = null;
+
+ void setLoginContext( LoginContext loginContext ) {
+ this.loginContext=loginContext;
+ }
// --------------------------------------------------------- Public Methods
@@ -196,5 +230,22 @@
}
+
+ /**
+ * Calls logout, if necessary, on any associated JAASLoginContext. May in
+ * the future be extended to cover other logout requirements.
+ *
+ * @throws Exception If something goes wrong with the logout. Uses
Exception
+ * to allow for future expansion of this method to cover
+ * other logout mechanisms that might throw a different
+ * exception to LoginContext
+ *
+ */
+ public void logout() throws Exception {
+ if (loginContext != null) {
+ loginContext.logout();
+ }
+ }
+
}
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/realm/JAASRealm.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/realm/JAASRealm.java?rev=892622&r1=892621&r2=892622&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/realm/JAASRealm.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/realm/JAASRealm.java
Sun Dec 20 17:48:53 2009
@@ -429,7 +429,7 @@
log.debug(sm.getString("jaasRealm.loginContextCreated", username));
// Return the appropriate Principal for this authenticated Subject
- Principal principal = createPrincipal(username, subject);
+ Principal principal = createPrincipal(username, subject, loginContext);
if (principal == null) {
log.debug(sm.getString("jaasRealm.authenticateFailure", username));
return (null);
@@ -480,16 +480,8 @@
/**
- * Identify and return a <code>java.security.Principal</code> instance
- * representing the authenticated user for the specified
<code>Subject</code>.
- * The Principal is constructed by scanning the list of Principals returned
- * by the JAASLoginModule. The first <code>Principal</code> object that
matches
- * one of the class names supplied as a "user class" is the user Principal.
- * This object is returned to tha caller.
- * Any remaining principal objects returned by the LoginModules are mapped
to
- * roles, but only if their respective classes match one of the "role
class" classes.
- * If a user Principal cannot be constructed, return <code>null</code>.
- * @param subject The <code>Subject</code> representing the logged-in user
+ * @deprecated
+ * Use {...@link JAASRealm#createPrincipal(String, Subject, LoginContext)}
*/
protected Principal createPrincipal(String username, Subject subject) {
// Prepare to scan the Principals for this Subject
@@ -541,6 +533,29 @@
return new GenericPrincipal(this, username, null, roles,
userPrincipal);
}
+ /**
+ * Identify and return a <code>java.security.Principal</code> instance
+ * representing the authenticated user for the specified
<code>Subject</code>.
+ * The Principal is constructed by scanning the list of Principals returned
+ * by the JAASLoginModule. The first <code>Principal</code> object that
matches
+ * one of the class names supplied as a "user class" is the user Principal.
+ * This object is returned to the caller.
+ * Any remaining principal objects returned by the LoginModules are mapped
to
+ * roles, but only if their respective classes match one of the "role
class" classes.
+ * If a user Principal cannot be constructed, return <code>null</code>.
+ * @param subject The <code>Subject</code> representing the logged-in user
+ * @param loginContext Associated with the Principal so
+ * {...@link LoginContext#logout()} can be called later
+ */
+ protected Principal createPrincipal(String username, Subject subject,
+ LoginContext loginContext) {
+ Principal principal = createPrincipal(username, subject);
+ if (principal instanceof GenericPrincipal) {
+ ((GenericPrincipal) principal).setLoginContext(loginContext);
+ }
+ return principal;
+ }
+
/**
* Ensure the given name is legal for JAAS configuration.
* Added for Bugzilla 30869, made protected for easy customization
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/LocalStrings.properties?rev=892622&r1=892621&r2=892622&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/LocalStrings.properties
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/LocalStrings.properties
Sun Dec 20 17:48:53 2009
@@ -60,6 +60,7 @@
standardSession.getId.ise=getId: Session already invalidated
standardSession.getMaxInactiveInterval.ise=getMaxInactiveInterval: Session
already invalidated
standardSession.getValueNames.ise=getValueNames: Session already invalidated
+standardSession.logoutfail=Exception logging out user when expiring session
standardSession.notSerializable=Cannot serialize session attribute {0} for
session {1}
standardSession.removeAttribute.ise=removeAttribute: Session already
invalidated
standardSession.sessionEvent=Session event listener threw exception
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/StandardSession.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/StandardSession.java?rev=892622&r1=892621&r2=892622&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/StandardSession.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/session/StandardSession.java
Sun Dec 20 17:48:53 2009
@@ -55,6 +55,7 @@
import org.apache.catalina.util.Enumerator;
import org.apache.catalina.util.StringManager;
+import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.security.SecurityUtil;
/**
@@ -747,6 +748,18 @@
fireSessionEvent(Session.SESSION_DESTROYED_EVENT, null);
}
+ // Call the logout method
+ if (principal instanceof GenericPrincipal) {
+ GenericPrincipal gp = (GenericPrincipal) principal;
+ try {
+ gp.logout();
+ } catch (Exception e) {
+ manager.getContainer().getLogger().error(
+ sm.getString("standardSession.logoutfail"),
+ e);
+ }
+ }
+
// We have completed expire of this session
expiring = false;
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=892622&r1=892621&r2=892622&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Sun Dec 20
17:48:53 2009
@@ -67,6 +67,10 @@
terminal. (markt)
</fix>
<fix>
+ <bug>39231</bug>: Call LoginModule.logout() when using JAASRealm.
+ (markt/kkolinko)
+ </fix>
+ <fix>
<bug>41059</bug>: Reduce the chances of errors when using
ENABLE_CLEAR_REFERENCES. Patch by Curt Arnold. (markt)
</fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
