Bug 52303 - NonLoginAuthenticator does not honour session timeout with SingleSignOn Valve
NonLoginAuthenticator does not honour session timeout with SingleSignOn Valve
Status: RESOLVED FIXED
Product: Tomcat 7
Classification: Unclassified
Component: Catalina
trunk
PC Linux
: P2 minor (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2011-12-08 09:35 UTC by Brian Burch
Modified: 2011-12-27 20:25 UTC (History)
1 user (show)



Attachments
proposed diff to fix org.apache.catalina.authenticator.NonLoginAuthenticator (5.89 KB, application/octet-stream)
2011-12-08 09:35 UTC, Brian Burch
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Burch 2011-12-08 09:35:59 UTC
Created attachment 28052 [details]
proposed diff to fix org.apache.catalina.authenticator.NonLoginAuthenticator

This problem has been explored and discussed on the tomcat-users mailing list under the title "SingleSignonValve and webapp session timeout". Basically, a webapp that does not need to define a <login-config> is valid under the servlet 3.0 spec and therefore should be able to participate in a single signon realm. It should be able to inherit the security principal established by another webapp within the same realm. Its own <session-timeout> value should be honoured, even when all the other sessions in the same SingleSignOnEntry have expired.

The problem is with NonLoginAuthenticator - at some time it had SSO helper logic that was too primitive. This logic was completely commented-out in tomcat 6.0.0.

I have two fairly simple webapps (not quite drop-ins) that demonstrate the problem and my proposed fix. I have heavily commented my proposed fix to explain the surrounding dependent logic that it relies on.

At the moment I have not found an SSO-based unit test for any of the AuthenticatorBase concrete classes, but I will try to create one (eventually).
Comment 1 Mark Thomas 2011-12-27 20:25:25 UTC
Many thanks for the patch. It looks good to me.

The patch has been applied to trunk and 7.0.x and will be included in 7.0.24 onwards.