Skip to content
Permalink
Browse files

Refactor so Principal is never cached in session with cache==false

  • Loading branch information
markt-asf committed Dec 5, 2019
1 parent 0fded7d commit e19a202ee43b6e2a538be5515ae0ab32d8ef112c
@@ -1135,10 +1135,11 @@ private void register(Request request, HttpServletResponse response, Principal p
}

// Cache the authentication information in our session, if any
if (cache) {
if (session != null) {
if (session != null) {
if (cache) {
session.setAuthType(authType);
session.setPrincipal(principal);
} else {
if (username != null) {
session.setNote(Constants.SESS_USERNAME_NOTE, username);
} else {
@@ -82,7 +82,10 @@

/**
* The previously authenticated principal (if caching is disabled).
*
* @deprecated Unused. Will be removed in Tomcat 10.
*/
@Deprecated
public static final String FORM_PRINCIPAL_NOTE = "org.apache.catalina.authenticator.PRINCIPAL";

/**
@@ -132,10 +132,6 @@ public void setLandingPage(String landingPage) {
protected boolean doAuthenticate(Request request, HttpServletResponse response)
throws IOException {

if (checkForCachedAuthentication(request, response, true)) {
return true;
}

// References to objects we will need later
Session session = null;
Principal principal = null;
@@ -154,9 +150,8 @@ protected boolean doAuthenticate(Request request, HttpServletResponse response)
}
principal = context.getRealm().authenticate(username, password);
if (principal != null) {
session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password);
if (!matchRequest(request)) {
register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password);
return true;
}
}
@@ -173,16 +168,6 @@ protected boolean doAuthenticate(Request request, HttpServletResponse response)
if (log.isDebugEnabled()) {
log.debug("Restore request from session '" + session.getIdInternal() + "'");
}
principal = (Principal) session.getNote(Constants.FORM_PRINCIPAL_NOTE);
register(request, response, principal, HttpServletRequest.FORM_AUTH,
(String) session.getNote(Constants.SESS_USERNAME_NOTE),
(String) session.getNote(Constants.SESS_PASSWORD_NOTE));
// If we're caching principals we no longer need the user name
// and password in the session, so remove them
if (cache) {
session.removeNote(Constants.SESS_USERNAME_NOTE);
session.removeNote(Constants.SESS_PASSWORD_NOTE);
}
if (restoreRequest(request, session)) {
if (log.isDebugEnabled()) {
log.debug("Proceed to restored request");
@@ -197,6 +182,12 @@ protected boolean doAuthenticate(Request request, HttpServletResponse response)
}
}

// This check has to be after the previous check for a matching request
// because that matching request may also include a cached Principal.
if (checkForCachedAuthentication(request, response, true)) {
return true;
}

// Acquire references to objects we will need to evaluate
String contextPath = request.getContextPath();
String requestURI = request.getDecodedRequestURI();
@@ -283,12 +274,7 @@ protected boolean doAuthenticate(Request request, HttpServletResponse response)
return false;
}

// Save the authenticated Principal in our session
session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);

// Save the username and password as well
session.setNote(Constants.SESS_USERNAME_NOTE, username);
session.setNote(Constants.SESS_PASSWORD_NOTE, password);
register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password);

// Redirect the user to the original request URI (which will cause
// the original request to be restored)
@@ -489,7 +475,7 @@ protected boolean matchRequest(Request request) {
}

// Is there a saved principal?
if (session.getNote(Constants.FORM_PRINCIPAL_NOTE) == null) {
if (cache && session.getPrincipal() == null || !cache && request.getPrincipal() == null) {
return false;
}

@@ -519,7 +505,6 @@ protected boolean restoreRequest(Request request, Session session)
// Retrieve and remove the SavedRequest object from our session
SavedRequest saved = (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE);
session.removeNote(Constants.FORM_REQUEST_NOTE);
session.removeNote(Constants.FORM_PRINCIPAL_NOTE);
if (saved == null) {
return false;
}

0 comments on commit e19a202

Please sign in to comment.
You can’t perform that action at this time.