Tomas Milian created FEDIZ-256:
----------------------------------
Summary: Tomcat authenticationSessionTimeout
Key: FEDIZ-256
URL: https://issues.apache.org/jira/browse/FEDIZ-256
Project: CXF-Fediz
Issue Type: Bug
Components: Plugin
Affects Versions: 1.6.1
Reporter: Tomas Milian
Hello,
I was configuring Fediz 1.6.1 on Tomcat 9.0.74 and found the following issue.
Tomcat 9.0.74 introduced a new FORM authenticator Valve attribute
(authenticationSessionTimeout) that breaks Fediz authentication process.
{color:#172b4d}Fediz uses FormAuthenticator to save the request, the change
introduced in Tomcat 9.0.74 replaces the original session timeout with the
authenticationSessionTimeout default value (120 seconds).{color}
{code:java}
if (session instanceof HttpSession && ((HttpSession) session).isNew()) {
int originalMaxInactiveInterval = session.getMaxInactiveInterval();
if (originalMaxInactiveInterval >
getAuthenticationSessionTimeout()) {
saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
}
} {code}
{color:#172b4d}Once the Fediz authentication is resumed, the session
maxIncactiveInterval is not restored, so authenticated session always ends up
with a 120 second maxInactiveInterval{color}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
