portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ate Douma (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Issue Comment Edited: (JS2-1119) Impossible to log in using Jetspeed 2 and Tomcat 6.0.24
Date Sun, 07 Mar 2010 12:27:27 GMT

    [ https://issues.apache.org/jira/browse/JS2-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12842422#action_12842422
] 

Ate Douma edited comment on JS2-1119 at 3/7/10 12:26 PM:
---------------------------------------------------------

I found the cause of the problem: a new setting in Tomcat 6.0.21+ (and 5.5.29+) called "changeSessionIdOnAuthentication"
which is default enabled...
This new setting effectively breaks our active authentication mechanism :(

Some references:
   
   https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
   http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
   http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html

After I disabled the default setting for this in the jetspeed.xml Tomcat context descriptor
like the following, active authentication worked again:

	<Valve className="org.apache.catalina.authenticator.FormAuthenticator" characterEncoding="UTF-8"
changeSessionIdOnAuthentication="false"/>

However, as this new "feature" looks like an important security measurement, further investigation
is needed to *if* and how we can fix the Jetspeed active authentication again which this new
feature remaining enabled.

For the time being, anyone wanting/needing to use Tomcat 6.0.21+/5.5.29+ together with Jetspeed
active authentication temporarily needs to the above configuration adjustment.

      was (Author: adouma):
    I found the cause of the problem: a new setting in Tomcat 6.0.21+ (and 5.5.29+) called
"changeSessionIdOnAuthentication" which is default enabled...
This new setting effectively breaks our active authentication mechanism :(

Some references:
   
   https://issues.apache.org/bugzilla/show_bug.cgi?id=45255
   http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html
   http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html

After I disabled the default setting for this in the jetspeed.xml Tomcat context descriptor
like the following, active authentication worked again:

	<Valve className="org.apache.catalina.authenticator.FormAuthenticator" characterEncoding="UTF-8"
changeSessionIdOnAuthentication="false"/>

However, as this new "feature" looks like an important security measurement, further investigation
is needed to *if* and how we can fix the Jetspeed active authentication again which this new
feature remaining enabled.

For the time being, anyone wanting/needing to use Tomcat 6.0.21+/5.5.29+ together with Jetspeed
active authentication temporarily needs to the above configuration adjustment.
  
> Impossible to log in using Jetspeed 2 and Tomcat 6.0.24
> -------------------------------------------------------
>
>                 Key: JS2-1119
>                 URL: https://issues.apache.org/jira/browse/JS2-1119
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Components Core
>    Affects Versions: 2.2.1
>         Environment: Linux Ubuntu Lucid Lynx - Tomcat 6.0.24-2 - Java 1.5 and 1.6
>            Reporter: Gonzalo Aguilar
>            Assignee: Ate Douma
>             Fix For: 2.2.1
>
>
> Jetspeed Will not let you log in when deployed in Tomcat 6.0.24-2.
> After inserting user and password portal will reload as usual but will not update it's
contents to reflect login success.
> No errors are shown in logs and no clue about what's going wrong as password are accept
and normal login seems to perform normally. I traced the module to DefaultLoginModule.login()
and it works well and return success when correct user and login are used. But portal doesn't
seem to reflect the login. The problem must be other place but was not able to track it down.
> Steps to reproduce:
> 1.- Install Tomcat 6.0.22
> 2.- Deploy jetspeed 2 2.2.1 with libs in place.
> 3.- Log in as usual.
> It will not work.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message