tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amy Roh <>
Subject Re: CoyoteRequest.recycle() and userPrincipal
Date Tue, 30 Sep 2003 16:41:20 GMT
Remy Maucherat wrote:
> Amy Roh wrote:
>> The admin logs you out and asks you to reauthenticate yourself again 
>> after
>> you do "commit".  It seems like after the admin gets redeployed, the same
>> CoyoteRequestFacade loses its userPrincipal in the recycle() method.  
>> What
>> is the motivation for setting userPrincipal to null in recycle()?  I 
>> don't
>> think it's acceptable to ask the user to keep logging on and 
>> reauthenticate
>> his/herself everytime you commit.
>> Comments?
> Well, I think it is perfectly acceptable, sorry ;-)
> BTW, there's no CoyoteRequestFacade.recycle, that's in CoyoteRequest, 
> and it is obviously a field which needs to be recycled.

I meant to say CoyoteRequest.  :-)

> "Fixing" this will create a major security issue. Please refrain from 
> fixing things you do not seem to understand well, or please only do so 
> in Sun's repositories.

I see that there will be security issues if we don't clean up the field 
in the request.  No such fix will go into Sun's repositories if it's a 
security issue.  I obviously posted the email to the list for additional 
  comments to understand the code better.


> Remy
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message