Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1225010 - in /tomcat/tc7.0.x/trunk: ./
 java/org/apache/catalina/authenticator/NonLoginAuthenticator.java
 webapps/docs/changelog.xml
Date: Tue, 27 Dec 2011 20:44:21 -0000
To: dev@tomcat.apache.org
From: markt@apache.org
Message-Id: <20111227204421.413342388A36@eris.apache.org>

Author: markt
Date: Tue Dec 27 20:44:20 2011
New Revision: 1225010

URL: http://svn.apache.org/viewvc?rev=1225010&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=52303
Allow web applications that do not have a login configuration to
participate in a SSO session. Patch provided by Brian Burch.

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Dec 27 20:44:20 2011
@@ -1 +1 @@
-/tomcat/trunk:1156115,1156171,1156276,1156304,1156519,1156530,1156602,1157015,1157018,1157151,1157198,1157204,1157810,1157832,1157834,1157847,1157908,1157939,1158155,1158160,1158176,1158195,1158198-1158199,1158227,1158331,1158334-1158335,1158426,1160347,1160592,1160611,1160619,1160626,1160639,1160652,1160720-1160721,1160772,1160774,1160776,1161303,1161310,1161322,1161339,1161486,1161540,1161549,1161584,1162082,1162149,1162169,1162721,1162769,1162836,1162932,1163630,1164419,1164438,1164469,1164480,1164567,1165234,1165247-1165248,1165253,1165273,1165282,1165309,1165331,1165338,1165347,1165360-1165361,1165367-1165368,1165602,1165608,1165677,1165693,1165721,1165723,1165728,1165730,1165738,1165746,1165765,1165777,1165918,1165921,1166077,1166150-1166151,1166290,1166366,1166620,1166686,1166693,1166752,1166757,1167368,1167394,1169447,1170647,1171692,1172233-1172234,1172236,1172269,1172278,1172282,1172556,1172610,1172664,1172689,1172711,1173020-1173021,1173082,1173088,1173090,1173096
 ,1173241,1173256,1173288,1173333,1173342,1173461,1173614,1173630,1173659,1173722,1174061,1174239,1174322,1174325,1174329-1174330,1174337-1174339,1174343,1174353,1174799,1174882,1174884,1174983,1175155,1175158,1175167,1175182,1175190,1175201,1175272,1175275,1175283,1175582,1175589-1175590,1175594,1175602,1175613,1175633,1175690,1175713,1175798,1175889,1175896,1175907,1176584,1176590,1176799,1177050,1177060,1177125,1177152,1177160,1177245,1177850,1177862,1177978,1178209,1178228,1178233,1178449,1178542,1178681,1178684,1178721,1179268,1179274,1180261,1180865,1180891,1180894,1180907,1181028,1181123,1181125,1181136,1181291,1181743,1182796,1183078,1183105,1183142,1183328,1183339-1183340,1183492-1183494,1183605,1184917,1184919,1185018,1185020,1185200,1185588,1185626,1185756,1185758,1186011,1186042-1186045,1186104,1186123,1186137,1186153,1186254,1186257,1186377-1186379,1186479-1186480,1186712,1186743,1186750,1186763,1186890-1186892,1186894,1186949,1187018,1187027-1187028,1187381,1187
 753,1187755,1187775,1187801,1187806,1187809,1187827,1188301,1188303-1188305,1188399,1188822,1188930-1188931,1189116,1189129,1189183,1189240,1189256,1189386,1189413-1189414,1189477,1189685,1189805,1189857,1189864,1189882,1190034,1190185,1190279,1190339,1190371,1190388-1190389,1190474,1190481,1194915,1195222-1195223,1195531,1195899,1195905,1195943,1195949,1195953,1195955,1195965,1195968,1196175,1196212,1196223,1196304-1196305,1196735,1196825,1196827,1197158,1197261,1197263,1197299-1197300,1197305,1197339-1197340,1197343,1197382,1197386-1197387,1197480,1197578,1198497,1198528,1198552,1198602,1198604,1198607,1198622,1198640,1198696,1198707,1199418,1199432,1199436,1199513,1199529,1199980,1199996,1200056,1200089,1200106-1200107,1200263,1200316,1200320,1200398-1200399,1200445-1200446,1200555,1200627,1200696,1200725,1200937,1200941,1201069,1201087,1201180,1201235-1201237,1201508,1201521,1201542,1201545-1201546,1201548,1201555-1201556,1201568,1201576,1201608,1201921-1201922,1201931,1
 202035,1202039,1202271,1202565,1202578,1202705,1202828,1202860,1203047-1203052,1203078,1203091,1203253,1203278,1204182,1204856,1204867,1204936,1204938,1204982,1205033,1205065,1205082,1205097,1205112,1206200,1207692,1208046,1208073,1208096,1208114,1208145,1208772,1209194,1209277-1209278,1209686-1209731,1210894,1212091,1212095,1212099,1212118,1213469,1213906,1214853,1214855,1214864,1215115,1215118-1215119,1215121,1220293,1220295,1221038,1221842,1222189,1222201,1222276,1222300,1222690,1222850,1222852,1222855,1224607,1224617,1224648-1224652,1224657,1224662-1224663,1224682,1224801,1224910
+/tomcat/trunk:1156115,1156171,1156276,1156304,1156519,1156530,1156602,1157015,1157018,1157151,1157198,1157204,1157810,1157832,1157834,1157847,1157908,1157939,1158155,1158160,1158176,1158195,1158198-1158199,1158227,1158331,1158334-1158335,1158426,1160347,1160592,1160611,1160619,1160626,1160639,1160652,1160720-1160721,1160772,1160774,1160776,1161303,1161310,1161322,1161339,1161486,1161540,1161549,1161584,1162082,1162149,1162169,1162721,1162769,1162836,1162932,1163630,1164419,1164438,1164469,1164480,1164567,1165234,1165247-1165248,1165253,1165273,1165282,1165309,1165331,1165338,1165347,1165360-1165361,1165367-1165368,1165602,1165608,1165677,1165693,1165721,1165723,1165728,1165730,1165738,1165746,1165765,1165777,1165918,1165921,1166077,1166150-1166151,1166290,1166366,1166620,1166686,1166693,1166752,1166757,1167368,1167394,1169447,1170647,1171692,1172233-1172234,1172236,1172269,1172278,1172282,1172556,1172610,1172664,1172689,1172711,1173020-1173021,1173082,1173088,1173090,1173096
 ,1173241,1173256,1173288,1173333,1173342,1173461,1173614,1173630,1173659,1173722,1174061,1174239,1174322,1174325,1174329-1174330,1174337-1174339,1174343,1174353,1174799,1174882,1174884,1174983,1175155,1175158,1175167,1175182,1175190,1175201,1175272,1175275,1175283,1175582,1175589-1175590,1175594,1175602,1175613,1175633,1175690,1175713,1175798,1175889,1175896,1175907,1176584,1176590,1176799,1177050,1177060,1177125,1177152,1177160,1177245,1177850,1177862,1177978,1178209,1178228,1178233,1178449,1178542,1178681,1178684,1178721,1179268,1179274,1180261,1180865,1180891,1180894,1180907,1181028,1181123,1181125,1181136,1181291,1181743,1182796,1183078,1183105,1183142,1183328,1183339-1183340,1183492-1183494,1183605,1184917,1184919,1185018,1185020,1185200,1185588,1185626,1185756,1185758,1186011,1186042-1186045,1186104,1186123,1186137,1186153,1186254,1186257,1186377-1186379,1186479-1186480,1186712,1186743,1186750,1186763,1186890-1186892,1186894,1186949,1187018,1187027-1187028,1187381,1187
 753,1187755,1187775,1187801,1187806,1187809,1187827,1188301,1188303-1188305,1188399,1188822,1188930-1188931,1189116,1189129,1189183,1189240,1189256,1189386,1189413-1189414,1189477,1189685,1189805,1189857,1189864,1189882,1190034,1190185,1190279,1190339,1190371,1190388-1190389,1190474,1190481,1194915,1195222-1195223,1195531,1195899,1195905,1195943,1195949,1195953,1195955,1195965,1195968,1196175,1196212,1196223,1196304-1196305,1196735,1196825,1196827,1197158,1197261,1197263,1197299-1197300,1197305,1197339-1197340,1197343,1197382,1197386-1197387,1197480,1197578,1198497,1198528,1198552,1198602,1198604,1198607,1198622,1198640,1198696,1198707,1199418,1199432,1199436,1199513,1199529,1199980,1199996,1200056,1200089,1200106-1200107,1200263,1200316,1200320,1200398-1200399,1200445-1200446,1200555,1200627,1200696,1200725,1200937,1200941,1201069,1201087,1201180,1201235-1201237,1201508,1201521,1201542,1201545-1201546,1201548,1201555-1201556,1201568,1201576,1201608,1201921-1201922,1201931,1
 202035,1202039,1202271,1202565,1202578,1202705,1202828,1202860,1203047-1203052,1203078,1203091,1203253,1203278,1204182,1204856,1204867,1204936,1204938,1204982,1205033,1205065,1205082,1205097,1205112,1206200,1207692,1208046,1208073,1208096,1208114,1208145,1208772,1209194,1209277-1209278,1209686-1209731,1210894,1212091,1212095,1212099,1212118,1213469,1213906,1214853,1214855,1214864,1215115,1215118-1215119,1215121,1220293,1220295,1221038,1221842,1222189,1222201,1222276,1222300,1222690,1222850,1222852,1222855,1224607,1224617,1224648-1224652,1224657,1224662-1224663,1224682,1224801,1224910,1225000

Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java?rev=1225010&r1=1225009&r2=1225010&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/authenticator/NonLoginAuthenticator.java Tue Dec 27 20:44:20 2011
@@ -5,9 +5,9 @@
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -20,11 +20,13 @@ package org.apache.catalina.authenticato
 
 
 import java.io.IOException;
+import java.security.Principal;
 
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.deploy.LoginConfig;
+import org.apache.catalina.Session;
 
 
@@ -68,16 +70,42 @@ public final class NonLoginAuthenticator
 
 
     /**
-     * Authenticate the user making this request, based on the specified
-     * login configuration.  Return <code>true</code> if any specified
-     * constraint has been satisfied, or <code>false</code> if we have
-     * created a response challenge already.
-     *
-     * @param request Request we are processing
-     * @param response Response we are populating
-     * @param config    Login configuration describing how authentication
-     *              should be performed
+     * Authenticate the user making this request, based on the fact that no
+     * <code>login-config</code> has been defined for the container.
+     *
+     * This implementation means "login the user even though there is no
+     * self-contained way to establish a security Principal for that user".
+     *
+     * This method is called by the AuthenticatorBase super class to
+     * establish a Principal for the user BEFORE the container security
+     * constraints are examined, i.e. it is not yet known whether the user
+     * will eventually be permitted to access the requested resource.
+     * Therefore, it is necessary to always return <code>true</code> to
+     * indicate the user has not failed authentication.
+     *
+     * There are two cases:
+     *
+     *  - without SingleSignon: a Session instance does not yet exist
+     *    and there is no <code>auth-method</code> to authenticate the
+     *    user, so leave Request's Principal as null.
+     *    note: AuthenticatorBase will later examine the security constraints
+     *          to determine whether the resource is accessible by a user
+     *          without a security Principal and Role (i.e. unauthenticated).
      *
+     * - with SingleSignon: if the user has already authenticated via
+     *   another container (using its own login configuration), then
+     *   associate this Session with the SSOEntry so it inherits the
+     *   already-established security Principal and associated Roles.
+     *   note: This particular session will become a full member of the
+     *         SingleSignOnEntry Session collection and so will potentially
+     *         keep the SSOE "alive", even if all the other properly
+     *         authenticated Sessions expire first... until it expires too.
+     *
+     * @param request  Request we are processing
+     * @param response Response we are creating
+     * @param config   Login configuration describing how authentication
+     *                 should be performed
+     * @return boolean to indicate whether the user is authenticated
      * @exception IOException if an input/output error occurs
      */
     @Override
@@ -86,23 +114,51 @@ public final class NonLoginAuthenticator
                                 LoginConfig config)
         throws IOException {
 
-        /*  Associating this request's session with an SSO would allow
-            coordinated session invalidation, but should the session for
-            a webapp that the user didn't log into be invalidated when
-            another session is logged out?
-        String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
-        if (ssoId != null)
-            associate(ssoId, getSession(request, true));
-        */
-        
-        if (containerLog.isDebugEnabled())
-            containerLog.debug("User authentication is not required");
-        return (true);
-
+        Principal principal = request.getUserPrincipal();
+        if (principal != null) {
+            // excellent... we have already authenticated the client somehow,
+            // probably from another container that has a login-config
+            if (containerLog.isDebugEnabled())
+                containerLog.debug("Already authenticated as '"
+                          + principal.getName() + "'");
+
+            // create a new session (only if necessary)
+            Session session = request.getSessionInternal(true);
+
+            // save the inherited Principal (if necessary) in this
+            // session so it can remain authenticated until it expires
+            session.setPrincipal(principal);
+            session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
+
+            // is there an SSO session cookie?
+            String ssoId =
+                    (String) request.getNote(Constants.REQ_SSOID_NOTE);
+            if (ssoId != null) {
+                if (containerLog.isDebugEnabled())
+                    containerLog.debug("User authenticated by existing SSO");
+                // Associate session with the existing SSO ID if necessary
+                associate(ssoId, session);
+            }
+            // user was already authenticated, with or without a cookie
+            return true;
+        }
+
+        // No Principal means the user is not already authenticated
+        // and so will not be assigned any roles. It is safe to
+        // to say the user is now authenticated because access to
+        // protected resources will only be allowed with a matching role.
+        // i.e. SC_FORBIDDEN (403 status) will be generated later.
 
+        if (containerLog.isDebugEnabled())
+            containerLog.debug("User authenticated without any roles");
+        return true;
     }
 
 
+    /**
+     * Return the authentication method, which is vendor-specific and
+     * not defined by HttpServletRequest.
+     */
     @Override
     protected String getAuthMethod() {
         return "NONE";

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1225010&r1=1225009&r2=1225010&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Tue Dec 27 20:44:20 2011
@@ -88,6 +88,11 @@
         instead of platform default encoding. (markt/kkolinko)
       </fix>
       <fix>
+        <bug>52303</bug>: Allow web applications that do not have a login
+        configuration to participate in a SSO session. Patch provided by Brian
+        Burch. (markt)
+      </fix>
+      <fix>
         <bug>52384</bug>: Do not fail with parameter parsing when debug logging
         is enabled. (kkolinko)
       </fix>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org