From: markt Date: Wed, 15 Dec 2010 16:41:31 +0000 (+0000) Subject: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=10526 X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=3d58dad4720e0080e50fa4ec3dff2442c704f4ef;p=tomcat7.0 Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=10526 Add alwaysUseSession option to authenticators git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1049638 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java index 2817da91a..1decab581 100644 --- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java +++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java @@ -116,6 +116,19 @@ public abstract class AuthenticatorBase extends ValveBase /** + * Should a session always be used once a user is authenticated? This may + * offer some performance benefits since the session can then be used to + * cache the authenticated Principal, hence removing the need to + * authenticate the user via the Realm on every request. This may be of help + * for combinations such as BASIC authentication used with the JNDIRealm or + * DataSourceRealms. However there will also be the performance cost of + * creating and GC'ing the session. By default, a session will not be + * created. + */ + protected boolean alwaysUseSession = false; + + + /** * Should we cache authenticated Principals if the request is part of * an HTTP session? */ @@ -681,10 +694,14 @@ public abstract class AuthenticatorBase extends ValveBase Session session = request.getSessionInternal(false); - if (session != null && changeSessionIdOnAuthentication) { - Manager manager = request.getContext().getManager(); - manager.changeSessionId(session); - request.changeSessionId(session.getId()); + if (session != null) { + if (changeSessionIdOnAuthentication) { + Manager manager = request.getContext().getManager(); + manager.changeSessionId(session); + request.changeSessionId(session.getId()); + } + } else if (alwaysUseSession) { + session = request.getSessionInternal(true); } // Cache the authentication information in our session, if any diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 69ce89763..4d7218f66 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -48,6 +48,11 @@ 8705: org.apache.catalina.SessionListener now extends java.util.EventListener. (markt) + + 10526: Add an option to the Authenticators to + force the creation of a session on authentication which may offer some + performance benefits. (markt) + 48692: Provide option to parse application/x-www-form-urlencoded PUT requests. (schultz) diff --git a/webapps/docs/config/valve.xml b/webapps/docs/config/valve.xml index 2fdf63aef..88e5c2982 100644 --- a/webapps/docs/config/valve.xml +++ b/webapps/docs/config/valve.xml @@ -412,6 +412,17 @@ org.apache.catalina.authenticator.BasicAuthenticator.

+ +

Should a session always be used once a user is authenticated? This + may offer some performance benefits since the session can then be used + to cache the authenticated Principal, hence removing the need to + authenticate the user via the Realm on every request. This may be of + help for combinations such as BASIC authentication used with the + JNDIRealm or DataSourceRealms. However there will also be the + performance cost of creating and GC'ing the session. If not set, the + default value of false will be used.

+ +

Controls if the session ID is changed if a session exists at the point where users are authenticated. This is to prevent session fixation