Brian, I believe I just fixed those issues. See the latest patch to 9077. Luke Nelson
> -----Original Message----- > From: Brian Stansberry [mailto:[EMAIL PROTECTED] > Sent: Monday, November 24, 2003 1:27 PM > To: Tomcat Developers List > Subject: Re: cvs commit: jakarta-tomcat- > catalina/catalina/src/share/org/apache/catalina/authenti cator > SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java > DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java > SSLAut > > At 08:21 PM 11/24/2003 +0100, Remy wrote: > >Brian Stansberry wrote: > >>At 11:56 AM 11/24/2003 -0600, Luke Nelson wrote: > >> > >>>I have tried applying the patch, and I found three problems with > >>>it. First, its removal of a session from the SingleSignOnEntry > >>>object causes an IndexOutOfBounds exception. Second, the method > >>>for determining whether the user explicitly logged out or whether a > >>>session timed out doesn't scale one of the numbers correctly (i.e. > >>>comparing millisecond values to seconds). I have fixed the patch, > >>>but I don't have a diff of it yet (I'm new to helping with this > >>>project). Finally, the patch doesn't synchronize on 'reverse' when > >>>removing an entry from it. > >> > >>I also looked at the code for StandardSession.getLastAccessedTime() > >>and it looks as if it will throw an IllegalStateException if the > >>session is expired. So that would break the algorithm used in the > >>9077 patch. > >>BTW, the javadoc for javax.servlet.http.HttpSession doesn't specify > >>throwing an IllegalStateException for a call to > >>getLastAccessedTime(). It looks as if the exception throw was added > >>in response to bug 15967, which stated that the javadoc does specify > >>the exception, but I'm looking at the javadoc for both Servlet 2.3 > >>and 2.4, and in both cases it's not specified. > > > >Can you address those issues ASAP ? (incl the array out of bounds and the > sync issue) > > Sure; I'm starting on it now. However, Jean-Francois found a HttpSession > javadoc that specifies throwing an IllegalStateException in > getLastAccessedTime(). If that is in the final spec, the 9077 patch > algorithm will not work. I'll work on it anyway in case the exception's > not in the final spec. > > As a backup, I've attached a patch that restores your earlier removal of > the logout code. > > > Brian Stansberry > WAN Concepts, Inc. > www.wanconcepts.com > Tel: (510) 894-0114 x 116 > Fax: (510) 797-3005 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
