[
https://issues.apache.org/jira/browse/JS2-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12842422#action_12842422
]
Ate Douma edited comment on JS2-1119 at 3/7/10 12:26 PM:
---------------------------------------------------------
I found the cause of the problem: a new setting in Tomcat 6.0.21+ (and 5.5.29+)
called "changeSessionIdOnAuthentication" which is default enabled...
This new setting effectively breaks our active authentication mechanism :(
Some references:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
After I disabled the default setting for this in the jetspeed.xml Tomcat
context descriptor like the following, active authentication worked again:
<Valve className="org.apache.catalina.authenticator.FormAuthenticator"
characterEncoding="UTF-8" changeSessionIdOnAuthentication="false"/>
However, as this new "feature" looks like an important security measurement,
further investigation is needed to *if* and how we can fix the Jetspeed active
authentication again which this new feature remaining enabled.
For the time being, anyone wanting/needing to use Tomcat 6.0.21+/5.5.29+
together with Jetspeed active authentication temporarily needs to the above
configuration adjustment.
was (Author: adouma):
I found the cause of the problem: a new setting in Tomcat 6.0.21+ (and
5.5.29+) called "changeSessionIdOnAuthentication" which is default enabled...
This new setting effectively breaks our active authentication mechanism :(
Some references:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
After I disabled the default setting for this in the jetspeed.xml Tomcat
context descriptor like the following, active authentication worked again:
<Valve className="org.apache.catalina.authenticator.FormAuthenticator"
characterEncoding="UTF-8" changeSessionIdOnAuthentication="false"/>
However, as this new "feature" looks like an important security measurement,
further investigation is needed to *if* and how we can fix the Jetspeed active
authentication again which this new feature remaining enabled.
For the time being, anyone wanting/needing to use Tomcat 6.0.21+/5.5.29+
together with Jetspeed active authentication temporarily needs to the above
configuration adjustment.
> Impossible to log in using Jetspeed 2 and Tomcat 6.0.24
> -------------------------------------------------------
>
> Key: JS2-1119
> URL: https://issues.apache.org/jira/browse/JS2-1119
> Project: Jetspeed 2
> Issue Type: Bug
> Components: Components Core
> Affects Versions: 2.2.1
> Environment: Linux Ubuntu Lucid Lynx - Tomcat 6.0.24-2 - Java 1.5 and
> 1.6
> Reporter: Gonzalo Aguilar
> Assignee: Ate Douma
> Fix For: 2.2.1
>
>
> Jetspeed Will not let you log in when deployed in Tomcat 6.0.24-2.
> After inserting user and password portal will reload as usual but will not
> update it's contents to reflect login success.
> No errors are shown in logs and no clue about what's going wrong as password
> are accept and normal login seems to perform normally. I traced the module to
> DefaultLoginModule.login() and it works well and return success when correct
> user and login are used. But portal doesn't seem to reflect the login. The
> problem must be other place but was not able to track it down.
> Steps to reproduce:
> 1.- Install Tomcat 6.0.22
> 2.- Deploy jetspeed 2 2.2.1 with libs in place.
> 3.- Log in as usual.
> It will not work.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
