Author: remy.maucherat(a)jboss.com
Date: 2013-05-22 11:48:23 -0400 (Wed, 22 May 2013)
New Revision: 2201
Modified:
branches/7.0.x/java/org/apache/catalina/authenticator/AuthenticatorBase.java
branches/7.0.x/java/org/apache/catalina/authenticator/SingleSignOn.java
branches/7.2.x/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java
branches/7.2.x/src/main/java/org/apache/catalina/authenticator/SingleSignOn.java
Log:
Modify SSO logout so that it can avoid expiring all sessions.
Modified: branches/7.0.x/java/org/apache/catalina/authenticator/AuthenticatorBase.java
===================================================================
---
branches/7.0.x/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2013-05-22
15:47:51 UTC (rev 2200)
+++
branches/7.0.x/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2013-05-22
15:48:23 UTC (rev 2201)
@@ -115,6 +115,14 @@
/**
+ * Should the session ID, if any, be changed upon a successful
+ * authentication to prevent a session fixation attack?
+ */
+ protected boolean unregisterSsoOnLogout =
+
Boolean.valueOf(System.getProperty("org.apache.catalina.authenticator.AuthenticatorBase.UNREGISTER_SSO_ON_LOGOUT",
"true")).booleanValue();
+
+
+ /**
* The Context to which this Valve is attached.
*/
protected Context context = null;
@@ -208,6 +216,16 @@
}
+ public boolean isUnregisterSsoOnLogout() {
+ return unregisterSsoOnLogout;
+ }
+
+
+ public void setUnregisterSsoOnLogout(boolean unregisterSsoOnLogout) {
+ this.unregisterSsoOnLogout = unregisterSsoOnLogout;
+ }
+
+
/**
* Return the Container to which this Valve is attached.
*/
@@ -717,8 +735,14 @@
String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
if (ssoId != null) {
// Update the SSO session with the latest authentication data
- request.removeNote(Constants.REQ_SSOID_NOTE);
- sso.deregister(ssoId);
+ if (unregisterSsoOnLogout) {
+ request.removeNote(Constants.REQ_SSOID_NOTE);
+ sso.deregister(ssoId);
+ } else {
+ if (cache && session != null) {
+ sso.logout(ssoId);
+ }
+ }
}
}
Modified: branches/7.0.x/java/org/apache/catalina/authenticator/SingleSignOn.java
===================================================================
--- branches/7.0.x/java/org/apache/catalina/authenticator/SingleSignOn.java 2013-05-22
15:47:51 UTC (rev 2200)
+++ branches/7.0.x/java/org/apache/catalina/authenticator/SingleSignOn.java 2013-05-22
15:48:23 UTC (rev 2201)
@@ -458,7 +458,36 @@
}
+
/**
+ * Logout the specified single sign on identifier from all sessions.
+ *
+ * @param ssoId Single sign on identifier to logout
+ */
+ public void logout(String ssoId) {
+
+ // Look up and remove the corresponding SingleSignOnEntry
+ SingleSignOnEntry sso = null;
+ synchronized (cache) {
+ sso = cache.get(ssoId);
+ }
+
+ if (sso == null)
+ return;
+
+ // Remove all authentication information from all associated sessions
+ Session sessions[] = sso.findSessions();
+ for (Session session : sessions) {
+ session.setAuthType(null);
+ session.setPrincipal(null);
+ session.removeNote(Constants.SESS_USERNAME_NOTE);
+ session.removeNote(Constants.SESS_PASSWORD_NOTE);
+ }
+
+ }
+
+
+ /**
* Deregister the specified session. If it is the last session,
* then also get rid of the single sign on identifier
*
Modified:
branches/7.2.x/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java
===================================================================
---
branches/7.2.x/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2013-05-22
15:47:51 UTC (rev 2200)
+++
branches/7.2.x/src/main/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2013-05-22
15:48:23 UTC (rev 2201)
@@ -115,6 +115,14 @@
/**
+ * Should the session ID, if any, be changed upon a successful
+ * authentication to prevent a session fixation attack?
+ */
+ protected boolean unregisterSsoOnLogout =
+
Boolean.valueOf(System.getProperty("org.apache.catalina.authenticator.AuthenticatorBase.UNREGISTER_SSO_ON_LOGOUT",
"true")).booleanValue();
+
+
+ /**
* The Context to which this Valve is attached.
*/
protected Context context = null;
@@ -201,6 +209,16 @@
}
+ public boolean isUnregisterSsoOnLogout() {
+ return unregisterSsoOnLogout;
+ }
+
+
+ public void setUnregisterSsoOnLogout(boolean unregisterSsoOnLogout) {
+ this.unregisterSsoOnLogout = unregisterSsoOnLogout;
+ }
+
+
/**
* Return the Container to which this Valve is attached.
*/
@@ -709,8 +727,14 @@
String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
if (ssoId != null) {
// Update the SSO session with the latest authentication data
- request.removeNote(Constants.REQ_SSOID_NOTE);
- sso.deregister(ssoId);
+ if (unregisterSsoOnLogout) {
+ request.removeNote(Constants.REQ_SSOID_NOTE);
+ sso.deregister(ssoId);
+ } else {
+ if (cache && session != null) {
+ sso.logout(ssoId);
+ }
+ }
}
}
Modified:
branches/7.2.x/src/main/java/org/apache/catalina/authenticator/SingleSignOn.java
===================================================================
---
branches/7.2.x/src/main/java/org/apache/catalina/authenticator/SingleSignOn.java 2013-05-22
15:47:51 UTC (rev 2200)
+++
branches/7.2.x/src/main/java/org/apache/catalina/authenticator/SingleSignOn.java 2013-05-22
15:48:23 UTC (rev 2201)
@@ -516,6 +516,34 @@
/**
+ * Logout the specified single sign on identifier from all sessions.
+ *
+ * @param ssoId Single sign on identifier to logout
+ */
+ public void logout(String ssoId) {
+
+ // Look up and remove the corresponding SingleSignOnEntry
+ SingleSignOnEntry sso = null;
+ synchronized (cache) {
+ sso = cache.get(ssoId);
+ }
+
+ if (sso == null)
+ return;
+
+ // Remove all authentication information from all associated sessions
+ Session sessions[] = sso.findSessions();
+ for (Session session : sessions) {
+ session.setAuthType(null);
+ session.setPrincipal(null);
+ session.removeNote(Constants.SESS_USERNAME_NOTE);
+ session.removeNote(Constants.SESS_PASSWORD_NOTE);
+ }
+
+ }
+
+
+ /**
* Attempts reauthentication to the given <code>Realm</code> using
* the credentials associated with the single sign-on session
* identified by argument <code>ssoId</code>.
Show replies by date