DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4350>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4350 SSLAuthenticator did not associate SSO session Summary: SSLAuthenticator did not associate SSO session Product: Tomcat 4 Version: 4.0.1 Final Platform: All OS/Version: Other Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] When 'log in' using CLIENT-CERT, the SSLAuthenticator did not associate the SSO session with the user's session and cause the 'log out' to fail. The following patch seem to fix it. public boolean authenticate(HttpRequest request, HttpResponse response, LoginConfig config) throws IOException { // Have we already authenticated someone? Principal principal = ((HttpServletRequest) request.getRequest()).getUserPrincipal(); if (principal != null) { if (debug >= 1) log("Already authenticated '" + principal.getName() + "'"); String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE); if (ssoId != null) associate(ssoId, getSession(request, true)); return (true); } // Retrieve the certificate chain for this client HttpServletResponse hres = (HttpServletResponse) response.getResponse(); if (debug >= 1) log(" Looking up certificates"); X509Certificate certs[] = (X509Certificate[]) request.getRequest().getAttribute(Globals.CERTIFICATES_ATTR); if ((certs == null) || (certs.length < 1)) { if (debug >= 1) log(" No certificates included with this request"); hres.sendError(HttpServletResponse.SC_BAD_REQUEST, sm.getString("authenticator.certificates")); return (false); } // Authenticate the specified certificate chain principal = context.getRealm().authenticate(certs); if (principal == null) { if (debug >= 1) log(" Realm.authenticate() returned false"); hres.sendError(HttpServletResponse.SC_UNAUTHORIZED, sm.getString("authenticator.unauthorized")); return (false); } Session session = getSession(request, true); // Cache the principal (if requested) and record this authentication register(request, response, principal, Constants.CERT_METHOD, null, null); if (principal != null) { String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE); if (ssoId != null) associate(ssoId, session); } return (true); }
