[
https://issues.apache.org/jira/browse/FEDIZ-243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Arnaud MERGEY updated FEDIZ-243:
--------------------------------
Description:
Since 8.5.50 and 9.0.30, the fediz tomcat valve stop working.
With these versions of tomcat the authentication never succeed, even with
correct credentials, and fall in an infinite redirect loop between tomcat and
the IDP server.
This behavior is due to matchRequest from FormAuthenticator is always returning
false.
A security fix has been applied to FormAuthenticator:
_Refactor FORM authentication to reduce duplicate code and to ensure that the
authenticated Principal is not cached in the session when caching is disabled.
(markt)_
Which has been done with this commit
[https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652#diff-d3a23672da52a023e04cefd774dbe896]
was:
Since 8.5.50 and 9.0.30, the fediz tomcat valve stop working because of a
security fix done in FormAuthenticator
_Refactor FORM authentication to reduce duplicate code and to ensure that the
authenticated Principal is not cached in the session when caching is disabled.
(markt)_
Which has been done with this commit
[https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652#diff-d3a23672da52a023e04cefd774dbe896]
I need to investigate more, but I think the main issue is
{code:java}
in org.apache.cxf.fediz.tomcat8.FederationAuthenticator.restoreRequest(Request,
HttpServletResponse)
Principal principal = (Principal)session.getNote(Constants.FORM_PRINCIPAL_NOTE);
{code}
is not working anymore as Constants.FORM_PRINCIPAL_NOTE is not used anymore
> Fediz tomcat valve is broken with recent tomcat version
> -------------------------------------------------------
>
> Key: FEDIZ-243
> URL: https://issues.apache.org/jira/browse/FEDIZ-243
> Project: CXF-Fediz
> Issue Type: Bug
> Components: Plugin
> Affects Versions: 1.4.6
> Reporter: Arnaud MERGEY
> Priority: Critical
> Labels: tomcat
>
> Since 8.5.50 and 9.0.30, the fediz tomcat valve stop working.
> With these versions of tomcat the authentication never succeed, even with
> correct credentials, and fall in an infinite redirect loop between tomcat and
> the IDP server.
> This behavior is due to matchRequest from FormAuthenticator is always
> returning false.
> A security fix has been applied to FormAuthenticator:
> _Refactor FORM authentication to reduce duplicate code and to ensure that the
> authenticated Principal is not cached in the session when caching is
> disabled. (markt)_
> Which has been done with this commit
> [https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652#diff-d3a23672da52a023e04cefd774dbe896]
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
