tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nelson, Luke" <Luke.Nel...@itssiemens.com>
Subject RE: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenti cator SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java DigestAuthenticator.java FormAuthenticator.java NonLoginAuthenticator.java SSLAut
Date Mon, 24 Nov 2003 20:31:00 GMT
Brian, I believe I just fixed those issues.  See the latest patch to
9077.

Luke Nelson

> -----Original Message-----
> From: Brian Stansberry [mailto:brian_stansberry@wanconcepts.com]
> Sent: Monday, November 24, 2003 1:27 PM
> To: Tomcat Developers List
> Subject: Re: cvs commit: jakarta-tomcat-
> catalina/catalina/src/share/org/apache/catalina/authenti cator
> SingleSignOnEntry.java AuthenticatorBase.java BasicAuthenticator.java
> DigestAuthenticator.java FormAuthenticator.java
NonLoginAuthenticator.java
> SSLAut
> 
> At 08:21 PM 11/24/2003 +0100, Remy wrote:
> >Brian Stansberry wrote:
> >>At 11:56 AM 11/24/2003 -0600, Luke Nelson wrote:
> >>
> >>>I have tried applying the patch, and I found three problems with
> >>>it. First, its removal of a session from the SingleSignOnEntry
> >>>object causes an IndexOutOfBounds exception.  Second, the method
> >>>for determining whether the user explicitly logged out or whether a
> >>>session timed out doesn't scale one of the numbers correctly (i.e.
> >>>comparing millisecond values to seconds).  I have fixed the patch,
> >>>but I don't have a diff of it yet (I'm new to helping with this
> >>>project).  Finally, the patch doesn't synchronize on 'reverse' when
> >>>removing an entry from it.
> >>
> >>I also looked at the code for StandardSession.getLastAccessedTime()
> >>and it looks as if it will throw an IllegalStateException if the
> >>session is expired.  So that would break the algorithm used in the
> >>9077 patch.
> >>BTW, the javadoc for javax.servlet.http.HttpSession doesn't specify
> >>throwing an IllegalStateException for a call to
> >>getLastAccessedTime().  It looks as if the exception throw  was
added
> >>in response to bug 15967, which stated that the javadoc does specify
> >>the exception, but I'm looking at the javadoc for both Servlet 2.3
> >>and 2.4, and in both cases it's not specified.
> >
> >Can you address those issues ASAP ? (incl the array out of bounds and
the
> sync issue)
> 
> Sure; I'm starting on it now.  However, Jean-Francois found a
HttpSession
> javadoc that specifies throwing an IllegalStateException in
> getLastAccessedTime().  If that is in the final spec, the 9077 patch
> algorithm will not work.  I'll work on it anyway in case the
exception's
> not in the final spec.
> 
> As a backup, I've attached a patch that restores your earlier removal
of
> the logout code.
> 
> 
> Brian Stansberry
> WAN Concepts, Inc.
> www.wanconcepts.com
> Tel:    (510) 894-0114 x 116
> Fax:    (510) 797-3005

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message