Author: aogburn
Date: 2013-05-31 08:54:47 -0400 (Fri, 31 May 2013)
New Revision: 2207
Modified:
branches/JBOSSWEB_7_0_17_FINAL_BZ-967978/java/org/apache/catalina/authenticator/AuthenticatorBase.java
branches/JBOSSWEB_7_0_17_FINAL_BZ-967978/java/org/apache/catalina/authenticator/SingleSignOn.java
Log:
[BZ-967978] commit one-off changes to avoid session invalidation on sso logout
Modified:
branches/JBOSSWEB_7_0_17_FINAL_BZ-967978/java/org/apache/catalina/authenticator/AuthenticatorBase.java
===================================================================
---
branches/JBOSSWEB_7_0_17_FINAL_BZ-967978/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2013-05-30
21:40:00 UTC (rev 2206)
+++
branches/JBOSSWEB_7_0_17_FINAL_BZ-967978/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2013-05-31
12:54:47 UTC (rev 2207)
@@ -115,6 +115,14 @@
/**
+ * Should the session ID, if any, be changed upon a successful
+ * authentication to prevent a session fixation attack?
+ */
+ protected boolean unregisterSsoOnLogout =
+
Boolean.valueOf(System.getProperty("org.apache.catalina.authenticator.AuthenticatorBase.UNREGISTER_SSO_ON_LOGOUT",
"true")).booleanValue();
+
+
+ /**
* The Context to which this Valve is attached.
*/
protected Context context = null;
@@ -208,6 +216,16 @@
}
+ public boolean isUnregisterSsoOnLogout() {
+ return unregisterSsoOnLogout;
+ }
+
+
+ public void setUnregisterSsoOnLogout(boolean unregisterSsoOnLogout) {
+ this.unregisterSsoOnLogout = unregisterSsoOnLogout;
+ }
+
+
/**
* Return the Container to which this Valve is attached.
*/
@@ -717,8 +735,14 @@
String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
if (ssoId != null) {
// Update the SSO session with the latest authentication data
- request.removeNote(Constants.REQ_SSOID_NOTE);
- sso.deregister(ssoId);
+ if (unregisterSsoOnLogout) {
+ request.removeNote(Constants.REQ_SSOID_NOTE);
+ sso.deregister(ssoId);
+ } else {
+ if (cache && session != null) {
+ sso.removeLogin(ssoId);
+ }
+ }
}
}
Modified:
branches/JBOSSWEB_7_0_17_FINAL_BZ-967978/java/org/apache/catalina/authenticator/SingleSignOn.java
===================================================================
---
branches/JBOSSWEB_7_0_17_FINAL_BZ-967978/java/org/apache/catalina/authenticator/SingleSignOn.java 2013-05-30
21:40:00 UTC (rev 2206)
+++
branches/JBOSSWEB_7_0_17_FINAL_BZ-967978/java/org/apache/catalina/authenticator/SingleSignOn.java 2013-05-31
12:54:47 UTC (rev 2207)
@@ -524,6 +524,34 @@
/**
+ * Logout the specified single sign on identifier from all sessions.
+ *
+ * @param ssoId Single sign on identifier to logout
+ */
+ public void removeLogin(String ssoId) {
+
+ // Look up and remove the corresponding SingleSignOnEntry
+ SingleSignOnEntry sso = null;
+ synchronized (cache) {
+ sso = cache.get(ssoId);
+ }
+
+ if (sso == null)
+ return;
+
+ // Remove all authentication information from all associated sessions
+ Session sessions[] = sso.findSessions();
+ for (Session session : sessions) {
+ session.setAuthType(null);
+ session.setPrincipal(null);
+ session.removeNote(Constants.SESS_USERNAME_NOTE);
+ session.removeNote(Constants.SESS_PASSWORD_NOTE);
+ }
+
+ }
+
+
+ /**
* Attempts reauthentication to the given <code>Realm</code> using
* the credentials associated with the single sign-on session
* identified by argument <code>ssoId</code>.
Show replies by date