[
https://issues.apache.org/jira/browse/CXF-4548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13474061#comment-13474061
]
Sergey Beryozkin commented on CXF-4548:
---------------------------------------
Hi Thorsten, thanks for the patch, I applied with minor modifications.
The problem with HttpSession class is that it does not return an object in
removeAttribute, so we have to make a duplicate call, once - getAttribute and
then removeAttribute. So I updated SessionAuthenticityTokenProvider to return
the value from removeToken and updated the service to call this method
immediately, instead of doing a sequence of getToken and then removeToken. That
should be faster, especially if a custom provider has not been optimized to
cache the token which was just retrieved.
Hope you OK with this update - I'll keep this JIRA open for a bit just in case
> Enable use of customized session provider in OAuth2 GrantService
> ----------------------------------------------------------------
>
> Key: CXF-4548
> URL: https://issues.apache.org/jira/browse/CXF-4548
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 2.6.2, 2.7.0
> Reporter: Thorsten Hoeger
> Fix For: 2.6.4, 2.7.1
>
> Attachments:
> 0001-refs-CXF-4548-Enable-use-of-customized-session-provi.patch
>
>
> In the AuthorizationCodeGrantService there are two private methods
> using sessions to store and retrieve the sessionAuthenticityToken. It
> would be nice to be able to change the storage.
> I had to create a deep copy of this class to use some other session store.
> Patch will be provided soon.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
