Arnaud MERGEY created FEDIZ-243:
-----------------------------------
Summary: Fediz tomcat valve is broken with recent tomcat version
Key: FEDIZ-243
URL: https://issues.apache.org/jira/browse/FEDIZ-243
Project: CXF-Fediz
Issue Type: Bug
Components: Plugin
Affects Versions: 1.4.6
Reporter: Arnaud MERGEY
Since 8.5.50 and 9.0.30, the fediz tomcat valve stop working because of a
security fix done in FormAuthenticator
_Refactor FORM authentication to reduce duplicate code and to ensure that the
authenticated Principal is not cached in the session when caching is disabled.
(markt)_
Which has been done with this commit
[https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652#diff-d3a23672da52a023e04cefd774dbe896]
I need to investigate more, but I think the main issue is
{code:java}
in org.apache.cxf.fediz.tomcat8.FederationAuthenticator.restoreRequest(Request,
HttpServletResponse)
Principal principal = (Principal)session.getNote(Constants.FORM_PRINCIPAL_NOTE);
{code}
is not working anymore as Constants.FORM_PRINCIPAL_NOTE is not used anymore
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
