This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 65d9de34ac Preparation for fixing BZ 66120
65d9de34ac is described below
commit 65d9de34ac4e512afe374639494fdd9d7e055ade
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Aug 22 08:43:11 2022 +0100
Preparation for fixing BZ 66120
https://bz.apache.org/bugzilla/show_bug.cgi?id=66120
Once BZ 66120 is fixed, the session note that holds the current session
ID during FORM authentication will be replicated across the cluster. If
failover occurs during FORM authentication, this note also needs to be
updated.
This change is a NO-OP until the fix for BZ 66120 is committed.
---
.../catalina/ha/session/JvmRouteBinderValve.java | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
b/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
index c777d3e783..637d3a1dee 100644
--- a/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
+++ b/java/org/apache/catalina/ha/session/JvmRouteBinderValve.java
@@ -24,6 +24,7 @@ import org.apache.catalina.Cluster;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Manager;
import org.apache.catalina.Session;
+import org.apache.catalina.authenticator.Constants;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.ha.CatalinaCluster;
@@ -327,6 +328,7 @@ public class JvmRouteBinderValve extends ValveBase
implements ClusterValve {
fireLifecycleEvent("Before session migration", catalinaSession);
catalinaSession.getManager().changeSessionId(catalinaSession,
newSessionID);
changeRequestSessionID(request, sessionId, newSessionID);
+ changeSessionAuthenticationNote(sessionId, newSessionID,
catalinaSession);
fireLifecycleEvent("After session migration", catalinaSession);
if (log.isDebugEnabled()) {
log.debug(sm.getString("jvmRoute.changeSession", sessionId,
@@ -356,6 +358,23 @@ public class JvmRouteBinderValve extends ValveBase
implements ClusterValve {
}
+ /**
+ * Change the current session ID that is stored in a session note during
+ * authentication. It is part of the CSRF protection.
+ *
+ * @param sessionId The original session ID
+ * @param newSessionID The new session ID for node migration
+ * @param catalinaSession The session object (that will be using the new
+ * session ID at the point this method is
+ * called)
+ */
+ protected void changeSessionAuthenticationNote(String sessionId, String
newSessionID, Session catalinaSession) {
+ if
(sessionId.equals(catalinaSession.getNote(Constants.SESSION_ID_NOTE))) {
+ catalinaSession.setNote(Constants.SESSION_ID_NOTE, newSessionID);
+ }
+ }
+
+
/**
* Start this component and implement the requirements
* of {@link org.apache.catalina.util.LifecycleBase#startInternal()}.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
