Re: issue with Form based authentication
Mark, Rajendra, On 12/30/21 06:13, Mark Thomas wrote: This is an application design issue, not a Tomcat issue. FORM auth is not intended / designed to work in the following scenario: - user is not authenticated - multiple, concurrent requests are made for resources requiring authentication You need to design the application in such a way that once authentication is triggered, no further requests are made until authentication is complete. +1 An easy way to do this is to make sure that all requests for static resources such as images, etc. are explicitly defined to NOT require any authentication, perhaps like this: unauthenticated-stuff /path/to/static/a/* /path/to/static/a/* /path/to/static/b/* ... -chris On 30/12/2021 11:02, Rathore, Rajendra wrote: Link for image where it will shows the details https://docs.google.com/document/d/1Ziojwm6rPvyuJ6rpJR1tu0e5xTfnawrHeLz3QvL28XA/edit?usp=sharing Thanks and Regards, Rajendra Rathore 9922701491 From: Rathore, Rajendra Sent: Thursday, December 30, 2021 4:25 PM To: users@tomcat.apache.org Subject: issue with Form based authentication Importance: High Hi Team, We are facing some weird issue with tomcat Form based authentication, I will try to explain the scenario as below: issue is reproducible in specific conditions, when browser cache is disabled, and cleared out before session timeout. In this conditions after session timeout when user is moving mouse over some elements where requests for GIFs are sent. Those request are processed by FormAuthenticator tomcat class. This class is responsible for saving requested URL and redirecting user to this saved URL after successful login. But this class saves in session all requests using the same key, this means that old requests are overrided by new ones. In this case there are multiple requests after session timeout, to get some GIFs, and to show relogin.jsp in popup window, those requests are handled by different threads, and last executed thread is saving to session information about requested URL. We have classic race condition here. If relogin.jsp will be requested last, then issue is not reproducible, if some GIF will be requested and saved last issue will be reproducible. Please let me know if any extra loggers required, will enable and shared with you. Thanks and Regards, Rajendra Rathore - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: issue with Form based authentication
This is an application design issue, not a Tomcat issue. FORM auth is not intended / designed to work in the following scenario: - user is not authenticated - multiple, concurrent requests are made for resources requiring authentication You need to design the application in such a way that once authentication is triggered, no further requests are made until authentication is complete. Mark On 30/12/2021 11:02, Rathore, Rajendra wrote: Link for image where it will shows the details https://docs.google.com/document/d/1Ziojwm6rPvyuJ6rpJR1tu0e5xTfnawrHeLz3QvL28XA/edit?usp=sharing Thanks and Regards, Rajendra Rathore 9922701491 From: Rathore, Rajendra Sent: Thursday, December 30, 2021 4:25 PM To: users@tomcat.apache.org Subject: issue with Form based authentication Importance: High Hi Team, We are facing some weird issue with tomcat Form based authentication, I will try to explain the scenario as below: issue is reproducible in specific conditions, when browser cache is disabled, and cleared out before session timeout. In this conditions after session timeout when user is moving mouse over some elements where requests for GIFs are sent. Those request are processed by FormAuthenticator tomcat class. This class is responsible for saving requested URL and redirecting user to this saved URL after successful login. But this class saves in session all requests using the same key, this means that old requests are overrided by new ones. In this case there are multiple requests after session timeout, to get some GIFs, and to show relogin.jsp in popup window, those requests are handled by different threads, and last executed thread is saving to session information about requested URL. We have classic race condition here. If relogin.jsp will be requested last, then issue is not reproducible, if some GIF will be requested and saved last issue will be reproducible. Please let me know if any extra loggers required, will enable and shared with you. Thanks and Regards, Rajendra Rathore - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: issue with Form based authentication
Link for image where it will shows the details https://docs.google.com/document/d/1Ziojwm6rPvyuJ6rpJR1tu0e5xTfnawrHeLz3QvL28XA/edit?usp=sharing Thanks and Regards, Rajendra Rathore 9922701491 From: Rathore, Rajendra Sent: Thursday, December 30, 2021 4:25 PM To: users@tomcat.apache.org Subject: issue with Form based authentication Importance: High Hi Team, We are facing some weird issue with tomcat Form based authentication, I will try to explain the scenario as below: issue is reproducible in specific conditions, when browser cache is disabled, and cleared out before session timeout. In this conditions after session timeout when user is moving mouse over some elements where requests for GIFs are sent. Those request are processed by FormAuthenticator tomcat class. This class is responsible for saving requested URL and redirecting user to this saved URL after successful login. But this class saves in session all requests using the same key, this means that old requests are overrided by new ones. In this case there are multiple requests after session timeout, to get some GIFs, and to show relogin.jsp in popup window, those requests are handled by different threads, and last executed thread is saving to session information about requested URL. We have classic race condition here. If relogin.jsp will be requested last, then issue is not reproducible, if some GIF will be requested and saved last issue will be reproducible. Please let me know if any extra loggers required, will enable and shared with you. Thanks and Regards, Rajendra Rathore
issue with Form based authentication
Hi Team, We are facing some weird issue with tomcat Form based authentication, I will try to explain the scenario as below: issue is reproducible in specific conditions, when browser cache is disabled, and cleared out before session timeout. In this conditions after session timeout when user is moving mouse over some elements where requests for GIFs are sent. Those request are processed by FormAuthenticator tomcat class. This class is responsible for saving requested URL and redirecting user to this saved URL after successful login. But this class saves in session all requests using the same key, this means that old requests are overrided by new ones. In this case there are multiple requests after session timeout, to get some GIFs, and to show relogin.jsp in popup window, those requests are handled by different threads, and last executed thread is saving to session information about requested URL. We have classic race condition here. If relogin.jsp will be requested last, then issue is not reproducible, if some GIF will be requested and saved last issue will be reproducible. Please let me know if any extra loggers required, will enable and shared with you. Thanks and Regards, Rajendra Rathore
