Author: remy.maucherat(a)jboss.com Date: 2013-05-22 11:47:51 -0400 (Wed, 22 May 2013) New Revision: 2200 Modified: branches/8.0.x/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java branches/8.0.x/src/main/java/org/apache/catalina/authenticator/SingleSignOn.java branches/8.0.x/src/main/java/org/apache/catalina/connector/Connector.java branches/8.0.x/webapps/docs/sysprops.xml Log: - Add a system property for TRACE. - Modify SSO logout so that it can avoid expiring all sessions. Modified: branches/8.0.x/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java =================================================================== --- branches/8.0.x/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2013-05-16 04:33:23 UTC (rev 2199) +++ branches/8.0.x/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2013-05-22 15:47:51 UTC (rev 2200) @@ -115,6 +115,14 @@ /** + * Should the session ID, if any, be changed upon a successful + * authentication to prevent a session fixation attack? + */ + protected boolean unregisterSsoOnLogout = + Boolean.valueOf(System.getProperty("org.apache.catalina.authenticator.AuthenticatorBase.UNREGISTER_SSO_ON_LOGOUT", "true")).booleanValue(); + + + /** * The Context to which this Valve is attached. */ protected Context context = null; @@ -201,6 +209,16 @@ } + public boolean isUnregisterSsoOnLogout() { + return unregisterSsoOnLogout; + } + + + public void setUnregisterSsoOnLogout(boolean unregisterSsoOnLogout) { + this.unregisterSsoOnLogout = unregisterSsoOnLogout; + } + + /** * Return the Container to which this Valve is attached. */ @@ -709,8 +727,14 @@ String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE); if (ssoId != null) { // Update the SSO session with the latest authentication data - request.removeNote(Constants.REQ_SSOID_NOTE); - sso.deregister(ssoId); + if (unregisterSsoOnLogout) { + request.removeNote(Constants.REQ_SSOID_NOTE); + sso.deregister(ssoId); + } else { + if (cache && session != null) { + sso.logout(ssoId); + } + } } } Modified: branches/8.0.x/src/main/java/org/apache/catalina/authenticator/SingleSignOn.java =================================================================== --- branches/8.0.x/src/main/java/org/apache/catalina/authenticator/SingleSignOn.java 2013-05-16 04:33:23 UTC (rev 2199) +++ branches/8.0.x/src/main/java/org/apache/catalina/authenticator/SingleSignOn.java 2013-05-22 15:47:51 UTC (rev 2200) @@ -516,6 +516,34 @@ /** + * Logout the specified single sign on identifier from all sessions. + * + * @param ssoId Single sign on identifier to logout + */ + public void logout(String ssoId) { + + // Look up and remove the corresponding SingleSignOnEntry + SingleSignOnEntry sso = null; + synchronized (cache) { + sso = cache.get(ssoId); + } + + if (sso == null) + return; + + // Remove all authentication information from all associated sessions + Session sessions[] = sso.findSessions(); + for (Session session : sessions) { + session.setAuthType(null); + session.setPrincipal(null); + session.removeNote(Constants.SESS_USERNAME_NOTE); + session.removeNote(Constants.SESS_PASSWORD_NOTE); + } + + } + + + /** * Attempts reauthentication to the given <code>Realm</code> using * the credentials associated with the single sign-on session * identified by argument <code>ssoId</code>. Modified: branches/8.0.x/src/main/java/org/apache/catalina/connector/Connector.java =================================================================== --- branches/8.0.x/src/main/java/org/apache/catalina/connector/Connector.java 2013-05-16 04:33:23 UTC (rev 2199) +++ branches/8.0.x/src/main/java/org/apache/catalina/connector/Connector.java 2013-05-22 15:47:51 UTC (rev 2200) @@ -66,7 +66,9 @@ protected static final boolean X_POWERED_BY = Boolean.valueOf(System.getProperty("org.apache.catalina.connector.X_POWERED_BY", "false")).booleanValue(); - + protected static final boolean ALLOW_TRACE = + Boolean.valueOf(System.getProperty("org.apache.catalina.connector.ALLOW_TRACE", "false")).booleanValue(); + protected static final String URI_ENCODING = System.getProperty("org.apache.catalina.connector.URI_ENCODING"); @@ -102,7 +104,7 @@ /** * Do we allow TRACE ? */ - protected boolean allowTrace = false; + protected boolean allowTrace = ALLOW_TRACE; /** Modified: branches/8.0.x/webapps/docs/sysprops.xml =================================================================== --- branches/8.0.x/webapps/docs/sysprops.xml 2013-05-16 04:33:23 UTC (rev 2199) +++ branches/8.0.x/webapps/docs/sysprops.xml 2013-05-22 15:47:51 UTC (rev 2200) @@ -103,6 +103,12 @@ in embedded mode.</p> </property> + <property name="org.apache.catalina.authenticator.AuthenticatorBase.UNREGISTER_SSO_ON_LOGOUT"> + <p>If <code>true</code>, the SSO will not be unregistred, and all associated sessions + expired when logout is called (expiration remains a separate operation, like for non SSO). + If not specified the default value of <code>true</code> will be used.</p> + </property> + <property name="org.apache.catalina.connector.Request.SESSION_ID_CHECK"> <p>If <code>true</code>, the Servet container will verify that a session exists in a context with the specified session id before creating a session @@ -299,6 +305,11 @@ <properties> + <property name="org.apache.catalina.connector.Connector.ALLOW_TRACE"> + <p>If this is <code>true</code> the TRACE HTTP method will be allowed. + If not specified, the default value of <code>false</code> will be used.</p> + </property> + <property name="org.apache.catalina.connector.RECYCLE_FACADES"> <p>If this is <code>true</code> or if a security manager is in use a new facade object will be created for each request. If not specified, the