Jonathan, On Tue, Feb 18, 2020 at 5:29 PM Jonathan S. Fisher wrote:
For older versions of tomcat, I'd suggest adding an additional option that causes GenericPrincipal to drop the password after authentication is complete, by default if persistAuthentication is enabled, which alleviates your concern.
Tomcat's GenericPrincipal implements Serializable only as of the 8.5 branch. However, the latest 8.5 version uses a helper class SerializablePrincipal (private static class in GenericPrincipal). In both 8.5 and 9.0 branch, this class also serializes the password, whereas in current 10.0 branch, there is no longer a password available in GenericPrincipal.
Although it would be a good idea to remove the password field generally from GenericPrincipal even in 8.5 and 9.0 (as in 10.0), it's likely easiest to just remove it from SerializablePrincipal in the older versions. So, even if the user's password is stored in memory, its no longer persisted to storage and does not blame session and authentication persistence.
Carsten --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
