tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r992373 - in /tomcat/tc5.5.x/trunk: STATUS.txt container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java container/webapps/docs/changelog.xml
Date Fri, 03 Sep 2010 16:56:31 GMT
Author: markt
Date: Fri Sep  3 16:56:30 2010
New Revision: 992373

URL: http://svn.apache.org/viewvc?rev=992373&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49749
Add httpOnly support to SSO cookie

Modified:
    tomcat/tc5.5.x/trunk/STATUS.txt
    tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
    tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml

Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=992373&r1=992372&r2=992373&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Fri Sep  3 16:56:30 2010
@@ -66,15 +66,3 @@ PATCHES PROPOSED TO BACKPORT:
   -- see attachment 25657 in BZ 49521, but I do not think that it is worth it.)
   jim: Also not comfortable with such a change this late in the game
        regarding default behavior of a stable branch.
-
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49749
-  Add httpOnly support to SSO cookie
-  http://people.apache.org/~markt/patches/2010-08-25-bug49749.patch
-  +1: markt, rjung
-  -1:
-  +1: kkolinko: Looking for usages of Constants.SINGLE_SIGN_ON_COOKIE,
-     in SingleSignOn.invoke() there is one more call to response.addCookie().
-     It is used to remove the cookie, so I think HttpOnly is not important there
-     and thus I am letting this pass. The SingleSignOn valve is usually added to
-     a <Host> (looking at the default server.xml), so we have to call
-     request.getContext() to get a Context there?

Modified: tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=992373&r1=992372&r2=992373&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++ tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
Fri Sep  3 16:56:30 2010
@@ -800,7 +800,7 @@ public abstract class AuthenticatorBase
                 cookie.setDomain(ssoDomain);
             }
 
-            response.addCookie(cookie);
+            response.addCookieInternal(cookie, context.getUseHttpOnly());
 
             // Register this principal with our SSO valve
             sso.register(ssoId, principal, authType, username, password);

Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=992373&r1=992372&r2=992373&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Fri Sep  3 16:56:30 2010
@@ -57,6 +57,10 @@
         Return a copy of the URL being used from the webapp class loader, not
         the original array. (kkolinko/markt)
       </fix>
+      <fix>
+        <bug>49749</bug>: Use HttpOnly flag of current context when genrating
+        a Single-Sign-On cookie. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message