tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 54190] New: TestNonLoginAndBasicAuthenticator does not test session timeout properly
Date Thu, 22 Nov 2012 13:10:23 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=54190

            Bug ID: 54190
           Summary: TestNonLoginAndBasicAuthenticator does not test
                    session timeout properly
           Product: Tomcat 7
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: Brian@PingToo.com
    Classification: Unclassified

Created attachment 29621
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=29621&action=edit
Extensive update to the test class to demonstrate session timeout properly

While working on a new test case for a different Authenticator, I decided to
follow the timeout test case in this class. Although all the test cases
currently run successfully, I discovered three fundamental flaws in the
existing timeout test case:

1. The BasicAuthenticator does not create a session by default, so there was no
session to actually timeout.
2. Context.setSessionTimeout() was called with a timeout in seconds, but this
method expects a timeout argument in minutes.
3. The presence of 401 Unauthorized status was intended to confirm a session
timeout, but it was erroneously succeeding because no credentials were supplied
when attempting to re-access the protected resource.

The attached patch is quite extensive, but cannot easily be broken into smaller
units:
1. The AuthenticatorBase.setAlwaysUseSession variable can now be manipulated by
test cases.
2. The doTestBasic method has been reimplemented so that it only makes a single
HTTP GET request (instead of two).
3. doTestBasic can now be controlled to authenticate or not, and it will also
harvest a session cookie and can also supply that cookie in subsequent
requests.
4. The doTestNonLogin method can be controlled to send a saved session cookie.
5. The erroneous timeout test case has been reimplemented has been renamed and
properly commented to explain that it is not testing a timeout.
6. A new session persistence test case has been added.
7. A new session persistence timeout test case has been added.
8. Raw boolean control flags have been replaced with self-documenting
constants.
9. Helpful comments have been added in some places where the logic is not
self-evident.

The enclosed patch file is backward compatible and passes checkstyle.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message