svn commit: r1049638 - in /tomcat/trunk: java/org/apache/catalina/authenticator/AuthenticatorBase.java webapps/docs/changelog.xml webapps/docs/config/valve.xml

Wed, 15 Dec 2010 08:41:55 -0800 

Author: markt
Date: Wed Dec 15 16:41:31 2010
New Revision: 1049638

URL: http://svn.apache.org/viewvc?rev=1049638&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=10526
Add alwaysUseSession option to authenticators

Modified:
    tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
    tomcat/trunk/webapps/docs/changelog.xml
    tomcat/trunk/webapps/docs/config/valve.xml

Modified: 
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=1049638&r1=1049637&r2=1049638&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java 
Wed Dec 15 16:41:31 2010
@@ -116,6 +116,19 @@ public abstract class AuthenticatorBase 
 
 
     /**
+     * Should a session always be used once a user is authenticated? This may
+     * offer some performance benefits since the session can then be used to
+     * cache the authenticated Principal, hence removing the need to
+     * authenticate the user via the Realm on every request. This may be of 
help
+     * for combinations such as BASIC authentication used with the JNDIRealm or
+     * DataSourceRealms. However there will also be the performance cost of
+     * creating and GC'ing the session. By default, a session will not be
+     * created. 
+     */
+    protected boolean alwaysUseSession = false;
+
+
+    /**
      * Should we cache authenticated Principals if the request is part of
      * an HTTP session?
      */
@@ -681,10 +694,14 @@ public abstract class AuthenticatorBase 
 
         Session session = request.getSessionInternal(false);
         
-        if (session != null && changeSessionIdOnAuthentication) {
-            Manager manager = request.getContext().getManager();
-            manager.changeSessionId(session);
-            request.changeSessionId(session.getId());
+        if (session != null) {
+            if (changeSessionIdOnAuthentication) {
+                Manager manager = request.getContext().getManager();
+                manager.changeSessionId(session);
+                request.changeSessionId(session.getId());
+            }
+        } else if (alwaysUseSession) {
+            session = request.getSessionInternal(true);
         }
 
         // Cache the authentication information in our session, if any

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1049638&r1=1049637&r2=1049638&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Dec 15 16:41:31 2010
@@ -48,6 +48,11 @@
         <bug>8705</bug>: <code>org.apache.catalina.SessionListener</code> now
         extends <code>java.util.EventListener</code>. (markt)
       </fix>
+      <add>
+        <bug>10526</bug>: Add an option to the <code>Authenticator</code>s to
+        force the creation of a session on authentication which may offer some
+        performance benefits. (markt)
+      </add>
       <update>
         <bug>48692</bug>: Provide option to parse
         <code>application/x-www-form-urlencoded</code> PUT requests. (schultz)

Modified: tomcat/trunk/webapps/docs/config/valve.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/valve.xml?rev=1049638&r1=1049637&r2=1049638&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/valve.xml (original)
+++ tomcat/trunk/webapps/docs/config/valve.xml Wed Dec 15 16:41:31 2010
@@ -412,6 +412,17 @@
         
<strong>org.apache.catalina.authenticator.BasicAuthenticator</strong>.</p>
       </attribute>
 
+      <attribute name="alwaysUseSession" required="false">
+        <p>Should a session always be used once a user is authenticated? This
+        may offer some performance benefits since the session can then be used
+        to cache the authenticated Principal, hence removing the need to
+        authenticate the user via the Realm on every request. This may be of
+        help for combinations such as BASIC authentication used with the
+        JNDIRealm or DataSourceRealms. However there will also be the
+        performance cost of creating and GC'ing the session. If not set, the
+        default value of <code>false</code> will be used.</p>
+      </attribute>
+
       <attribute name="changeSessionIdOnAuthentication" required="false">
         <p>Controls if the session ID is changed if a session exists at the
         point where users are authenticated. This is to prevent session 
fixation



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to