[ https://issues.apache.org/jira/browse/FEDIZ-243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved FEDIZ-243. --------------------------------------- Resolution: Fixed > Fediz tomcat valve is broken with recent tomcat version > ------------------------------------------------------- > > Key: FEDIZ-243 > URL: https://issues.apache.org/jira/browse/FEDIZ-243 > Project: CXF-Fediz > Issue Type: Bug > Components: Plugin > Affects Versions: 1.4.6 > Reporter: Arnaud MERGEY > Assignee: Colm O hEigeartaigh > Priority: Critical > Labels: tomcat > Fix For: 1.5.0 > > Time Spent: 10m > Remaining Estimate: 0h > > Since 8.5.50 and 9.0.30, the fediz tomcat valve stop working. > With these versions of tomcat the authentication never succeed, even with > correct credentials, and fall in an infinite redirect loop between tomcat and > the IDP server. > This behavior is due to matchRequest from FormAuthenticator is always > returning false. > A security fix has been applied to FormAuthenticator: > _Refactor FORM authentication to reduce duplicate code and to ensure that the > authenticated Principal is not cached in the session when caching is > disabled. (markt)_ > Which has been done with this commit > [https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652#diff-d3a23672da52a023e04cefd774dbe896] > -- This message was sent by Atlassian Jira (v8.3.4#803005)