https://bz.apache.org/bugzilla/show_bug.cgi?id=62036
Bug ID: 62036
Summary: Roles stripped when using programmatic login() in
tomcat 8.5 but not 8.0
Product: Tomcat 8
Version: 8.5.27
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: knst.koli...@gmail.com
Target Milestone: ----
Filing a Bugzilla entry for an issue reported by Robert J. Carr on the users@
list. See
http://markmail.org/message/rfm2qejzgcd2uwmh
I can confirm that the issue is reproducible in the current Tomcat 8.5 and 9.0.
Steps to reproduce:
[quote]
To reproduce the problem in tomcat 8.5.24 (for me):
1) make a user available with the role "testrole" (I just user
tomcat-users)
2) startup tomcat, copy the war file into webapps
3) go to the application homepage, index.jsp should auto load
4) enter username and password and login; it should change to the username
you're authenticated with
5) hit the auth test link and it should give you a success message
6) hit the same link again and it should give you a 403
If you want to see how things are changing, I created an unprotected page
called /authinfo (no jsp) that shows the logged in user and role. Here's
what it shows as you proceed through the test:
* no user or role
* user and role
* user, but no role
If you do this same process in tomcat 8 (8.0.43, for me) it works fine,
particularly, the you can hit the link as many times as you want and the
roles never go away until you logout. And generally, the login/test/logout
works perfectly, where in 8.5 even if you logout it doesn't always log you
back in the next time either. Sometimes its takes several attempts.
[/quote]
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
