tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amy Roh <amy...@apache.org>
Subject Re: CoyoteRequest.recycle() and userPrincipal
Date Tue, 30 Sep 2003 16:41:20 GMT
Remy Maucherat wrote:
> Amy Roh wrote:
> 
>> The admin logs you out and asks you to reauthenticate yourself again 
>> after
>> you do "commit".  It seems like after the admin gets redeployed, the same
>> CoyoteRequestFacade loses its userPrincipal in the recycle() method.  
>> What
>> is the motivation for setting userPrincipal to null in recycle()?  I 
>> don't
>> think it's acceptable to ask the user to keep logging on and 
>> reauthenticate
>> his/herself everytime you commit.
>>
>> Comments?
> 
> 
> Well, I think it is perfectly acceptable, sorry ;-)
> 
> BTW, there's no CoyoteRequestFacade.recycle, that's in CoyoteRequest, 
> and it is obviously a field which needs to be recycled.

I meant to say CoyoteRequest.  :-)

> 
> "Fixing" this will create a major security issue. Please refrain from 
> fixing things you do not seem to understand well, or please only do so 
> in Sun's repositories.

I see that there will be security issues if we don't clean up the field 
in the request.  No such fix will go into Sun's repositories if it's a 
security issue.  I obviously posted the email to the list for additional 
  comments to understand the code better.

Thanks,
Amy

> 
> Remy
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 




Mime
View raw message