3:25 p.m.
Author: remy.maucherat(a)jboss.com
Date: 2014-01-10 09:25:54 -0500 (Fri, 10 Jan 2014)
New Revision: 2336
Modified:
branches/7.4.x/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java
branches/7.4.x/webapps/docs/sysprops.xml
Log:
Port the alwaysUseSession option from Tomcat, disabled by default (as in Tomcat).
Modified:
branches/7.4.x/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java
===================================================================
---
branches/7.4.x/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2014-01-07
09:27:45 UTC (rev 2335)
+++
branches/7.4.x/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2014-01-10
14:25:54 UTC (rev 2336)
@@ -121,7 +121,20 @@
protected boolean unregisterSsoOnLogout =
Boolean.valueOf(System.getProperty("org.apache.catalina.authenticator.AuthenticatorBase.UNREGISTER_SSO_ON_LOGOUT",
"false")).booleanValue();
+ /**
+ * Should a session always be used once a user is authenticated? This may
+ * offer some performance benefits since the session can then be used to
+ * cache the authenticated Principal, hence removing the need to
+ * authenticate the user via the Realm on every request. This may be of help
+ * for combinations such as BASIC authentication used with the JNDIRealm or
+ * DataSourceRealms. However there will also be the performance cost of
+ * creating and GC'ing the session. By default, a session will not be
+ * created.
+ */
+ protected boolean alwaysUseSession =
+
Boolean.valueOf(System.getProperty("org.apache.catalina.authenticator.AuthenticatorBase.ALWAYS_USE_SESSION",
"false")).booleanValue();
+
/**
* The Context to which this Valve is attached.
*/
@@ -619,11 +632,16 @@
request.setUserPrincipal(principal);
Session session = request.getSessionInternal(false);
- if (session != null && changeSessionIdOnAuthentication) {
- Manager manager = request.getContext().getManager();
- manager.changeSessionId(session, request.getRandom());
- request.changeSessionId(session.getId());
+ if (session != null) {
+ if (changeSessionIdOnAuthentication) {
+ Manager manager = request.getContext().getManager();
+ manager.changeSessionId(session, request.getRandom());
+ request.changeSessionId(session.getId());
+ }
+ } else if (alwaysUseSession) {
+ session = request.getSessionInternal(true);
}
+
// Cache the authentication information in our session, if any
if (cache) {
if (session != null) {
Modified: branches/7.4.x/webapps/docs/sysprops.xml
===================================================================
--- branches/7.4.x/webapps/docs/sysprops.xml 2014-01-07 09:27:45 UTC (rev 2335)
+++ branches/7.4.x/webapps/docs/sysprops.xml 2014-01-10 14:25:54 UTC (rev 2336)
@@ -65,6 +65,22 @@
<p>It supports <code>:reload</code>.</p>
</property>
+ <property
name="org.apache.catalina.authenticator.AuthenticatorBase.CHANGE_SESSIONID_ON_AUTH">
+ <p>Should the session ID, if any, be changed upon a successful
+ authentication to prevent a session fixation attack ? If not specified, the default
value of
+ <code>false</code> will be used. </p>
+ </property>
+
+ <property
name="org.apache.catalina.authenticator.AuthenticatorBase.UNREGISTER_SSO_ON_LOGOUT">
+ <p>Unregister the SSO when logging out. If not specified, the default value
of
+ <code>false</code> will be used. </p>
+ </property>
+
+ <property
name="org.apache.catalina.authenticator.AuthenticatorBase.ALWAYS_USE_SESSION">
+ <p>Should a session always be used once a user is authenticated ? If not
specified, the default value of
+ <code>false</code> will be used. </p>
+ </property>
+
<property
name="org.apache.tomcat.util.buf.StringCache.byte.enabled">
<p>If <code>true</code>, the String cache is enabled for
<code>ByteChunk</code>. If not specified, the default value of