/**
+ * Should a session always be used once a user is authenticated? This may
+ * offer some performance benefits since the session can then be used to
+ * cache the authenticated Principal, hence removing the need to
+ * authenticate the user via the Realm on every request. This may be of help
+ * for combinations such as BASIC authentication used with the JNDIRealm or
+ * DataSourceRealms. However there will also be the performance cost of
+ * creating and GC'ing the session. By default, a session will not be
+ * created.
+ */
+ protected boolean alwaysUseSession = false;
+
+
+ /**
* Should we cache authenticated Principals if the request is part of
* an HTTP session?
*/
Session session = request.getSessionInternal(false);
- if (session != null && changeSessionIdOnAuthentication) {
- Manager manager = request.getContext().getManager();
- manager.changeSessionId(session);
- request.changeSessionId(session.getId());
+ if (session != null) {
+ if (changeSessionIdOnAuthentication) {
+ Manager manager = request.getContext().getManager();
+ manager.changeSessionId(session);
+ request.changeSessionId(session.getId());
+ }
+ } else if (alwaysUseSession) {
+ session = request.getSessionInternal(true);
}
// Cache the authentication information in our session, if any
<bug>8705</bug>: <code>org.apache.catalina.SessionListener</code> now
extends <code>java.util.EventListener</code>. (markt)
</fix>
+ <add>
+ <bug>10526</bug>: Add an option to the <code>Authenticator</code>s to
+ force the creation of a session on authentication which may offer some
+ performance benefits. (markt)
+ </add>
<update>
<bug>48692</bug>: Provide option to parse
<code>application/x-www-form-urlencoded</code> PUT requests. (schultz)
<strong>org.apache.catalina.authenticator.BasicAuthenticator</strong>.</p>
</attribute>
+ <attribute name="alwaysUseSession" required="false">
+ <p>Should a session always be used once a user is authenticated? This
+ may offer some performance benefits since the session can then be used
+ to cache the authenticated Principal, hence removing the need to
+ authenticate the user via the Realm on every request. This may be of
+ help for combinations such as BASIC authentication used with the
+ JNDIRealm or DataSourceRealms. However there will also be the
+ performance cost of creating and GC'ing the session. If not set, the
+ default value of <code>false</code> will be used.</p>
+ </attribute>
+
<attribute name="changeSessionIdOnAuthentication" required="false">
<p>Controls if the session ID is changed if a session exists at the
point where users are authenticated. This is to prevent session fixation
projects / tomcat7.0 / commitdiff