https://issues.apache.org/bugzilla/show_bug.cgi?id=54190
Bug ID: 54190
Summary: TestNonLoginAndBasicAuthenticator does not test
session timeout properly
Product: Tomcat 7
Version: trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: br...@pingtoo.com
Classification: Unclassified
Created attachment 29621
--> https://issues.apache.org/bugzilla/attachment.cgi?id=29621&action=edit
Extensive update to the test class to demonstrate session timeout properly
While working on a new test case for a different Authenticator, I decided to
follow the timeout test case in this class. Although all the test cases
currently run successfully, I discovered three fundamental flaws in the
existing timeout test case:
1. The BasicAuthenticator does not create a session by default, so there was no
session to actually timeout.
2. Context.setSessionTimeout() was called with a timeout in seconds, but this
method expects a timeout argument in minutes.
3. The presence of 401 Unauthorized status was intended to confirm a session
timeout, but it was erroneously succeeding because no credentials were supplied
when attempting to re-access the protected resource.
The attached patch is quite extensive, but cannot easily be broken into smaller
units:
1. The AuthenticatorBase.setAlwaysUseSession variable can now be manipulated by
test cases.
2. The doTestBasic method has been reimplemented so that it only makes a single
HTTP GET request (instead of two).
3. doTestBasic can now be controlled to authenticate or not, and it will also
harvest a session cookie and can also supply that cookie in subsequent
requests.
4. The doTestNonLogin method can be controlled to send a saved session cookie.
5. The erroneous timeout test case has been reimplemented has been renamed and
properly commented to explain that it is not testing a timeout.
6. A new session persistence test case has been added.
7. A new session persistence timeout test case has been added.
8. Raw boolean control flags have been replaced with self-documenting
constants.
9. Helpful comments have been added in some places where the logic is not
self-evident.
The enclosed patch file is backward compatible and passes checkstyle.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
